diff --git a/enums/integer/hh3c/HH3C-SYS-MAN-MIB.yml b/enums/integer/hh3c/HH3C-SYS-MAN-MIB.yml new file mode 100644 index 00000000..38ea1523 --- /dev/null +++ b/enums/integer/hh3c/HH3C-SYS-MAN-MIB.yml @@ -0,0 +1,17 @@ +# hh3cSysReloadAction +.1.3.6.1.4.1.25506.2.3.1.3.2: + 1: 'unavailable' # reloadUnavailable + 2: 'scheduled' # reloadOnSchedule + 3: 'immediate' # reloadAtOnce + 4: 'cancelled' # reloadCancel + +# hh3cSysImageType +.1.3.6.1.4.1.25506.2.3.1.4.2.1.5: + 1: 'main' # main + 2: 'backup' # backup + 3: 'none' # none + 4: 'secure' # secure + 5: 'main-backup' # main-backup + 6: 'main-secure' # main-secure + 7: 'backup-secure' # backup-secure + 8: 'main-backup-secure' # main-backup-secure diff --git a/enums/integer/ietf/DISMAN-EVENT-MIB.yml b/enums/integer/ietf/DISMAN-EVENT-MIB.yml index 0d94770a..443fcd10 100644 --- a/enums/integer/ietf/DISMAN-EVENT-MIB.yml +++ b/enums/integer/ietf/DISMAN-EVENT-MIB.yml @@ -1,26 +1,26 @@ .1.3.6.1.2.1.88.2.1.6: - -6: sampleOverrun - -5: badType - -4: noResponse - -3: destinationUnreachable - -2: badDestination - -1: localResourceLack - 0: noError - 1: tooBig - 2: noSuchName - 3: badValue - 4: readOnly - 5: genErr - 6: noAccess - 7: wrongType - 8: wrongLength - 9: wrongEncoding - 10: wrongValue - 11: noCreation - 12: inconsistentValue - 13: resourceUnavailable - 14: commitFailed - 15: undoFailed - 16: authorizationError - 17: notWritable - 18: inconsistentName + -6: 'sample overrun' # sampleOverrun + -5: 'bad type' # badType + -4: 'no response' # noResponse + -3: 'destination unreachable' # destinationUnreachable + -2: 'bad destination' # badDestination + -1: 'lack of local resources' # localResourceLack + 0: 'no error' # noError + 1: 'too big' # tooBig + 2: 'no such name' # noSuchName + 3: 'bad value' # badValue + 4: 'read-only' # readOnly + 5: 'generic error' # genErr + 6: 'no access' # noAccess + 7: 'wrong type' # wrongType + 8: 'wrong length' # wrongLength + 9: 'wrong encoding' # wrongEncoding + 10: 'wrong value' # wrongValue + 11: 'no creation' # noCreation + 12: 'inconsistent value' # inconsistentValue + 13: 'resource unavailable' # resourceUnavailable + 14: 'commit failed' # commitFailed + 15: 'undo failed' # undoFailed + 16: 'authorization error' # authorizationError + 17: 'not writable' # notWritable + 18: 'inconsistent name' # inconsistentName diff --git a/enums/integer/ietf/FRAME-RELAY-DTE-MIB.yml b/enums/integer/ietf/FRAME-RELAY-DTE-MIB.yml new file mode 100644 index 00000000..3a9a22d0 --- /dev/null +++ b/enums/integer/ietf/FRAME-RELAY-DTE-MIB.yml @@ -0,0 +1,5 @@ +# frCircuitState +.1.3.6.1.2.1.10.32.2.1.3: + 1: 'invalid' + 2: 'active' + 3: 'inactive' diff --git a/enums/integer/paloalto/PAN-TRAPS.yml b/enums/integer/paloalto/PAN-TRAPS.yml new file mode 100644 index 00000000..f3a94743 --- /dev/null +++ b/enums/integer/paloalto/PAN-TRAPS.yml @@ -0,0 +1,26 @@ +# panSystemSeverity +.1.3.6.1.4.1.25461.2.1.3.1.303: + 0: 'unused' # unused + 1: 'informational' # informational + 2: 'low' # low + 3: 'medium' # medium + 4: 'high' # high + 5: 'critical' # critical + +# panSystemSeverity +.1.3.6.1.4.1.25461.2.1.3.1.303_code: + 0: '4' # unused + 1: '6' # informational + 2: '5' # low + 3: '4' # medium + 4: '3' # high + 5: '2' # critical + +# panSystemSeverity +.1.3.6.1.4.1.25461.2.1.3.1.303_level: + 0: 'Warning' # unused + 1: 'Informational' # informational + 2: 'Notice' # low + 3: 'Warning' # medium + 4: 'Error' # high + 5: 'Critical' # critical diff --git a/traps/enterprises.yml b/traps/enterprises.yml index 548f6893..8fa5496f 100644 --- a/traps/enterprises.yml +++ b/traps/enterprises.yml @@ -5,14 +5,23 @@ unsupported: unsupported.yml .1.2.840.10036.1.6: ieee/IEEE802dot11-MIB-dot11SMTnotification.yml # IETF -.1.3.6.1.2.1.14.16: IETF/OSPF-TRAP-MIB-ospfTraps.yml -.1.3.6.1.2.1.14.16.2: IETF/OSPF-TRAP-MIB-ospfTraps.yml -.1.3.6.1.2.1.15: IETF/BGP4-MIB-bgp.yml -.1.3.6.1.2.1.15.7: IETF/BGP4-MIB-bgpTraps.yml -.1.3.6.1.2.1.17: IETF/BRIDGE-MIB-dot1dBridge.yml -.1.3.6.1.2.1.26: IETF/MAU-MIB-snmpDot3MauMgt.yml -.1.3.6.1.2.1.43.18.2: IETF/Printer-MIB-printerV1Alert.yml -.1.3.6.1.2.1.123: IETF/NAT-MIB-natMIB.yml +.1.3.6.1.2.1.10.18.15: ietf/DS1-MIB-ds1Traps.yml +.1.3.6.1.2.1.10.30.15: ietf/DS3-MIB-ds3Traps.yml +.1.3.6.1.2.1.10.32: ietf/FRAME-RELAY-DTE-MIB-frameRelayDTE.yml +.1.3.6.1.2.1.14.16: ietf/OSPF-TRAP-MIB-ospfTraps.yml +.1.3.6.1.2.1.14.16.2: ietf/OSPF-TRAP-MIB-ospfTraps.yml +.1.3.6.1.2.1.15: ietf/BGP4-MIB-bgp.yml +.1.3.6.1.2.1.15.7: ietf/BGP4-MIB-bgpTraps.yml +.1.3.6.1.2.1.17: ietf/BRIDGE-MIB-dot1dBridge.yml +.1.3.6.1.2.1.26: ietf/MAU-MIB-snmpDot3MauMgt.yml +.1.3.6.1.2.1.43.18.2: ietf/Printer-MIB-printerV1Alert.yml +.1.3.6.1.2.1.55.2: ietf/IPV6-MIB-ipv6Notifications.yml +.1.3.6.1.2.1.68: ietf/VRRP-MIB-vrrpMIB.yml +.1.3.6.1.2.1.88.2: ietf/DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix.yml +.1.3.6.1.2.1.123: ietf/NAT-MIB-natMIB.yml +.1.3.6.1.2.1.137: ietf/T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB.yml +.1.3.6.1.2.1.207: ietf/VRRPV3-MIB-vrrpv3MIB.yml +.1.3.6.1.2.1.214: ietf/RBRIDGE-MIB-rbridgeMIB.yml # Cisco .1.3.6.1.4.1.9.9.43.2: cisco/CISCO-CONFIG-MAN-MIB-ciscoConfigManMIBNotificationPrefix.yml @@ -47,6 +56,9 @@ unsupported: unsupported.yml # .1.3.6.1.4.1.3375.3.6: f5/F5-EM-MIB-emAlerts.yml # .1.3.6.1.4.1.3375.3.6.0: f5/F5-EM-MIB-emAlertConfigObjects.yml +# NET-SNMP +.1.3.6.1.4.1.8072.4: netsnmp/NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix.yml + # Stormshield .1.3.6.1.4.1.11256.1.6: stormshield/STORMSHIELD-ALARM-MIB-snsNotifications.yml @@ -58,45 +70,46 @@ unsupported: unsupported.yml .1.3.6.1.4.1.12356.102.0: fortinet/FORTINET-FORTIANALYZER-MIB-faTraps.yml .1.3.6.1.4.1.12356.105: fortinet/FORTINET-FORTIMAIL-MIB-fnFortiMailMib.yml +# Palo Alto Networks +.1.3.6.1.4.1.25461.2.1.3.2: paloalto/PAN-TRAPS-panCommonEventEvents.yml + +# H3C/Comware +.1.3.6.1.4.1.25506.2.3.2: h3c/HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications.yml + # DRAFTS .1.3.6.1.2.1.1.9.7.1: hp/TapeAlert-MIB-tapeAlert.yml .1.3.6.1.2.1.1.11.1.2: hitachi/Hitachi-DF-RAID-LAN-MIB-dfraidLan.yml -.1.3.6.1.2.1.10.5: IETF/RFC1382-MIB-x25.yml -.1.3.6.1.2.1.10.18.15: IETF/DS1-MIB-ds1Traps.yml -.1.3.6.1.2.1.10.20.2: IETF/ISDN-MIB-isdnMibTraps.yml -.1.3.6.1.2.1.10.21.2: IETF/DIAL-CONTROL-MIB-dialControlMibTraps.yml -.1.3.6.1.2.1.10.30.15: IETF/DS3-MIB-ds3Traps.yml -.1.3.6.1.2.1.10.48: IETF/HDSL2-SHDSL-LINE-MIB-hdsl2ShdslNotifications.yml -.1.3.6.1.2.1.10.49.2: IETF/APS-MIB-apsNotificationsPrefix.yml -.1.3.6.1.2.1.10.94.1.2.1: IETF/ADSL-LINE-MIB-adslAtucTraps.yml -.1.3.6.1.2.1.10.94.1.2.2: IETF/ADSL-LINE-MIB-adslAturTraps.yml -.1.3.6.1.2.1.10.166.2: IETF/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml -.1.3.6.1.2.1.10.166.3: IETF/MPLS-TE-STD-MIB-mplsTeNotifications.yml -.1.3.6.1.2.1.16: IETF/RMON-MIB-rmonEventsV2.yml -.1.3.6.1.2.1.16.29.2: IETF/HC-ALARM-MIB-hcAlarmNotifPrefix.yml -.1.3.6.1.2.1.22: IETF/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml -.1.3.6.1.2.1.33.2: IETF/UPS-MIB-upsTraps.yml -.1.3.6.1.2.1.39.2: IETF/RDBMS-MIB-rdbmsTraps.yml -.1.3.6.1.2.1.44.2: IETF/MIP-MIB-mipMIBNotifications.yml -.1.3.6.1.2.1.46.1: IETF/DLSW-MIB-dlswTraps.yml -.1.3.6.1.2.1.47.2: IETF/ENTITY-MIB-entityMIBTrapPrefix.yml -.1.3.6.1.2.1.51.3: IETF/RSVP-MIB-rsvpNotifications.yml -.1.3.6.1.2.1.55.2: IETF/IPV6-MIB-ipv6NotificationPrefix.yml -.1.3.6.1.2.1.60.2: IETF/ACCOUNTING-CONTROL-MIB-acctngNotifyPrefix.yml -.1.3.6.1.2.1.63.2: IETF/DISMAN-SCHEDULE-MIB-schedTraps.yml -.1.3.6.1.2.1.64.2: IETF/DISMAN-SCRIPT-MIB-smTraps.yml -.1.3.6.1.2.1.68: IETF/VRRP-MIB-vrrpNotifications.yml -.1.3.6.1.2.1.80: IETF/DISMAN-PING-MIB-pingNotifications.yml -.1.3.6.1.2.1.81: IETF/DISMAN-TRACEROUTE-MIB-traceRouteNotifications.yml -.1.3.6.1.2.1.83.1.2: IETF/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmTraps.yml -.1.3.6.1.2.1.83.1.3: IETF/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmtsTraps.yml -.1.3.6.1.2.1.88.2: IETF/DISMAN-EVENT-MIB-dismanEventMIBNotifications.yml -.1.3.6.1.2.1.8888: IETF/FIBRE-CHANNEL-MGMT-MIB-fcMgmtNotifications.yml -.1.3.6.1.3.62.1.1.11: IETF/DVMRP-MIB-dvmrpTraps.yml -.1.3.6.1.3.90.2: IETF/XGCP-MIB-xgcpNotifications.yml -.1.3.6.1.3.92.1.1: IETF/MSDP-MIB-msdpTraps.yml -.1.3.6.1.3.94: IETF/FCMGMT-MIB-fcmgmt.yml -.1.3.6.1.3.118: IETF/MPLS-VPN-MIB-mplsVpnNotifications.yml +.1.3.6.1.2.1.10.5: ietf/RFC1382-MIB-x25.yml +.1.3.6.1.2.1.10.20.2: ietf/ISDN-MIB-isdnMibTraps.yml +.1.3.6.1.2.1.10.21.2: ietf/DIAL-CONTROL-MIB-dialControlMibTraps.yml +.1.3.6.1.2.1.10.48: ietf/HDSL2-SHDSL-LINE-MIB-hdsl2ShdslNotifications.yml +.1.3.6.1.2.1.10.49.2: ietf/APS-MIB-apsNotificationsPrefix.yml +.1.3.6.1.2.1.10.94.1.2.1: ietf/ADSL-LINE-MIB-adslAtucTraps.yml +.1.3.6.1.2.1.10.94.1.2.2: ietf/ADSL-LINE-MIB-adslAturTraps.yml +.1.3.6.1.2.1.10.166.2: ietf/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml +.1.3.6.1.2.1.10.166.3: ietf/MPLS-TE-STD-MIB-mplsTeNotifications.yml +.1.3.6.1.2.1.16: ietf/RMON-MIB-rmonEventsV2.yml +.1.3.6.1.2.1.16.29.2: ietf/HC-ALARM-MIB-hcAlarmNotifPrefix.yml +.1.3.6.1.2.1.22: ietf/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml +.1.3.6.1.2.1.33.2: ietf/UPS-MIB-upsTraps.yml +.1.3.6.1.2.1.39.2: ietf/RDBMS-MIB-rdbmsTraps.yml +.1.3.6.1.2.1.44.2: ietf/MIP-MIB-mipMIBNotifications.yml +.1.3.6.1.2.1.46.1: ietf/DLSW-MIB-dlswTraps.yml +.1.3.6.1.2.1.47.2: ietf/ENTITY-MIB-entityMIBTrapPrefix.yml +.1.3.6.1.2.1.51.3: ietf/RSVP-MIB-rsvpNotifications.yml +.1.3.6.1.2.1.60.2: ietf/ACCOUNTING-CONTROL-MIB-acctngNotifyPrefix.yml +.1.3.6.1.2.1.63.2: ietf/DISMAN-SCHEDULE-MIB-schedTraps.yml +.1.3.6.1.2.1.64.2: ietf/DISMAN-SCRIPT-MIB-smTraps.yml +.1.3.6.1.2.1.80: ietf/DISMAN-PING-MIB-pingNotifications.yml +.1.3.6.1.2.1.81: ietf/DISMAN-TRACEROUTE-MIB-traceRouteNotifications.yml +.1.3.6.1.2.1.83.1.2: ietf/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmTraps.yml +.1.3.6.1.2.1.83.1.3: ietf/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmtsTraps.yml +.1.3.6.1.2.1.8888: ietf/FIBRE-CHANNEL-MGMT-MIB-fcMgmtNotifications.yml +.1.3.6.1.3.62.1.1.11: ietf/DVMRP-MIB-dvmrpTraps.yml +.1.3.6.1.3.90.2: ietf/XGCP-MIB-xgcpNotifications.yml +.1.3.6.1.3.92.1.1: ietf/MSDP-MIB-msdpTraps.yml +.1.3.6.1.3.94: ietf/FCMGMT-MIB-fcmgmt.yml +.1.3.6.1.3.118: ietf/MPLS-VPN-MIB-mplsVpnNotifications.yml .1.3.6.1.4.1.2.6.135: ibm/IBMADSM-MIB-ibmAdsm.yml .1.3.6.1.4.1.2.6.167.2: ibm/IBM-SERVERAID-MIB-ibmServeRaidMIB.yml .1.3.6.1.4.1.9: cisco/CISCOTRAP-MIB-cisco.yml @@ -373,4 +386,4 @@ unsupported: unsupported.yml .1.3.6.1.4.1.12788: bladelogic/BLMIB-bladelogic.yml .1.3.6.1.4.1.13045.1.1: uptimedevices/UPTIME-ROOT-MIB-sh2.yml .1.3.6.1.4.1.14223.1.1: talos/SFALERT-sfalertTrap.yml -.1.3.6.1.6.3.2.1.1.3: IETF/SNMPv2-M2M-MIB-snmpAlarmNotifications.yml +.1.3.6.1.6.3.2.1.1.3: ietf/SNMPv2-M2M-MIB-snmpAlarmNotifications.yml diff --git a/traps/rules/IETF/BRIDGE-MIB-dot1dNotifications.yml b/traps/rules/IETF/BRIDGE-MIB-dot1dNotifications.yml deleted file mode 100644 index 4e567911..00000000 --- a/traps/rules/IETF/BRIDGE-MIB-dot1dNotifications.yml +++ /dev/null @@ -1,58 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "BRIDGE-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: new_root_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-BRIDGE-MIB-newRoot" - root.out.event.id = "SNMPTRAP-IETF-BRIDGE-MIB-newRoot" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - root.out.event.category.name = "Spanning Tree Root" - root.out.object.name = "vtpVlanEntry.1.$1 - root.out.event.message = "VLAN is New Root of Spanning Tree ( Domain: 1, VLAN: $1 )" - root.out.object.name = "swSysBridgeEntry.$1 - root.out.event.message = "Bridge is New Root of Spanning Tree ( " + root.out.object.name + " )" - root.out.object.name = "" - root.out.event.message = @Node is New Root of Spanning Tree" - root.out.object.name = "" - root.out.event.message = @Node is New Root of Spanning Tree ( OID1: .1.3.6.1.2.1.17 )" - root.out.object.name = "" - root.out.event.message = @Node is New Root of Spanning Tree" - - check: this.trap.SpecificTrap == 2 - processors: - - label: topology_change_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-BRIDGE-MIB-topologyChange" - root.out.event.id = "SNMPTRAP-IETF-BRIDGE-MIB-topologyChange" - root.out.event.category.name = "Bridge Topology Change" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - root.out.object.name = "dot1dBasePortEntry.$1 - root.out.event.message = "802.1d Bridge Port Transitioned or ( " + root.out.object.name + " )" - root.out.object.name = "ifEntry.2" - root.out.event.message = "VLAN Port Transitioned or ( Port: $2, Domain: 1, VLAN: $1 )" - root.out.object.name = "swSysBridgeEntry.$1 - root.out.event.message = "Bridge Port Transitioned or ( " + root.out.object.name + " )" - root.out.object.name = "" - root.out.event.message = "Port Transitioned or " - root.out.object.name = "" - root.out.event.message = "Port Transitioned or ( OID1: .1.3.6.1.2.1.17 )" - root.out.object.name = "" - root.out.event.message = "Port Transitioned or " - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/IETF/DISMAN-EVENT-MIB-dismanEventMIBNotifications.yml b/traps/rules/IETF/DISMAN-EVENT-MIB-dismanEventMIBNotifications.yml deleted file mode 100644 index 91114ce4..00000000 --- a/traps/rules/IETF/DISMAN-EVENT-MIB-dismanEventMIBNotifications.yml +++ /dev/null @@ -1,132 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "DISMAN-EVENT-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: mte_trigger_fired_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_string() - root.out.IETF.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_string() - root.out.IETF.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_string() - root.out.IETF.mteHotOID = this.trap.VarBinds.index(3).Value - root.out.IETF.mteHotValue = this.trap.VarBinds.index(4).Value - - label: mte_trigger_fired_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerFired" - root.out.event.id = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerFired" - root.out.event.category.name = "Event Trigger Status" - root.out.object.name = "Trigger: " + this.trap.VarBinds.index(0).Value.snmp_octet_string().string() + ", Target: " + this.trap.VarBinds.index(1).Value.snmp_octet_string().string() + ", Context: " + this.trap.VarBinds.index(2).Value.snmp_octet_string().string() + ", OID: " + this.trap.VarBinds.index(3).Value.string() - root.out.event.message = "Event Trigger Fired, OID: " + this.trap.VarBinds.index(3).Value.string() + " - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.SpecificTrap == 2 - processors: - - label: mte_trigger_rising_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_string() - root.out.IETF.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_string() - root.out.IETF.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_string() - root.out.IETF.mteHotOID = this.trap.VarBinds.index(3).Value - root.out.IETF.mteHotValue = this.trap.VarBinds.index(4).Value - - label: mte_trigger_rising_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerRising" - root.out.event.id = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerRising" - root.out.event.category.name = "Event Trigger Status" - root.out.object.name = "Trigger: " + this.trap.VarBinds.index(0).Value.snmp_octet_string().string() + ", Target: " + this.trap.VarBinds.index(1).Value.snmp_octet_string().string() + ", Context: " + this.trap.VarBinds.index(2).Value.snmp_octet_string().string() + ", OID: " + this.trap.VarBinds.index(3).Value.string() - root.out.event.message = "Event Trigger Rising, OID: " + this.trap.VarBinds.index(3).Value.string() + " - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.SpecificTrap == 3 - processors: - - label: mte_trigger_falling_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_string() - root.out.IETF.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_string() - root.out.IETF.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_string() - root.out.IETF.mteHotOID = this.trap.VarBinds.index(3).Value - root.out.IETF.mteHotValue = this.trap.VarBinds.index(4).Value - - label: mte_trigger_falling_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerFalling" - root.out.event.id = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerFalling" - root.out.event.category.name = "Event Trigger Status" - root.out.object.name = "Trigger: " + this.trap.VarBinds.index(0).Value.snmp_octet_string().string() + ", Target: " + this.trap.VarBinds.index(1).Value.snmp_octet_string().string() + ", Context: " + this.trap.VarBinds.index(2).Value.snmp_octet_string().string() + ", OID: " + this.trap.VarBinds.index(3).Value.string() - root.out.event.message = "Event Trigger Falling, OID: " + this.trap.VarBinds.index(3).Value.string() + " - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.SpecificTrap == 4 - processors: - - label: mte_trigger_failure_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_string() - root.out.IETF.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_string() - root.out.IETF.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_string() - root.out.IETF.mteHotOID = this.trap.VarBinds.index(3).Value - root.out.IETF.mteFailedReason = this.trap.VarBinds.index(4).Value.enum_enrich(".1.3.6.1.2.1.88.2.1.6") - - label: mte_trigger_failure_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerFailure" - root.out.event.id = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteTriggerFailure" - root.out.event.category.name = "Event Trigger Status" - root.out.object.name = "Trigger: " + this.trap.VarBinds.index(0).Value.snmp_octet_string().string() + ", Target: " + this.trap.VarBinds.index(1).Value.snmp_octet_string().string() + ", Context: " + this.trap.VarBinds.index(2).Value.snmp_octet_string().string() + ", OID: " + this.trap.VarBinds.index(3).Value.string() - root.out.event.message = "Event Trigger Failed, " + this.trap.VarBinds.index(4).Value.enum_enrich(".1.3.6.1.2.1.88.2.1.6").string() + " ( " + root.out.object.name + " )" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.SpecificTrap == 5 - processors: - - label: mte_event_set_failure_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_string() - root.out.IETF.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_string() - root.out.IETF.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_string() - root.out.IETF.mteHotOID = this.trap.VarBinds.index(3).Value - root.out.IETF.mteFailedReason = this.trap.VarBinds.index(4).Value.enum_enrich(".1.3.6.1.2.1.88.2.1.6") - - label: mte_event_set_failure_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteEventSetFailure" - root.out.event.id = "SNMPTRAP-IETF-DISMAN-EVENT-MIB-mteEventSetFailure" - root.out.event.category.name = "Event Set Status" - root.out.object.name = "Trigger: " + this.trap.VarBinds.index(0).Value.snmp_octet_string().string() + ", Target: " + this.trap.VarBinds.index(1).Value.snmp_octet_string().string() + ", Context: " + this.trap.VarBinds.index(2).Value.snmp_octet_string().string() + ", OID: " + this.trap.VarBinds.index(3).Value.string() - root.out.event.message = "Event Set Failed, " + this.trap.VarBinds.index(4).Value.enum_enrich(".1.3.6.1.2.1.88.2.1.6").string() + " ( " + root.out.object.name + " )" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/IETF/DS1-MIB-ds1Traps.yml b/traps/rules/IETF/DS1-MIB-ds1Traps.yml deleted file mode 100644 index f974a96d..00000000 --- a/traps/rules/IETF/DS1-MIB-ds1Traps.yml +++ /dev/null @@ -1,267 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "DS1-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: dsx1line_status_change_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.dsx1LineStatus = this.trap.VarBinds.index(0).Value - root.out.IETF.dsx1LineStatusLastChange = this.trap.VarBinds.index(1).Value - - label: dsx1line_status_change_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DS1-MIB-dsx1LineStatusChange" - root.out.event.id = "SNMPTRAP-IETF-DS1-MIB-dsx1LineStatusChange" - root.out.event.category.name = "DS1 Line Status" - root.out.object.name = "dsx1ConfigEntry.1" - - label: dsx1line_status_change_rules_2 - switch: - - check: this.trap.VarBinds.index(0).Value.string() == 1 - processors: - - label: dsx1line_status_change_rules_2_1 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Line Normal" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(0).Value.string() == 2 - processors: - - label: dsx1line_status_change_rules_2_2 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Far-End Loss of Frame" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 4 - processors: - - label: dsx1line_status_change_rules_2_4 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 8 - processors: - - label: dsx1line_status_change_rules_2_8 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Far-End Alarm Indication Signal" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 16 - processors: - - label: dsx1line_status_change_rules_2_16 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Alarm Indication Signal" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 32 - processors: - - label: dsx1line_status_change_rules_2_32 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 34 - processors: - - label: dsx1line_status_change_rules_2_34 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame: Far-End LOF" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 40 - processors: - - label: dsx1line_status_change_rules_2_40 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame: Far-End AIS" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 42 - processors: - - label: dsx1line_status_change_rules_2_42 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame: Far-End AIS and LOF" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 64 - processors: - - label: dsx1line_status_change_rules_2_64 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Signal" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 96 - processors: - - label: dsx1line_status_change_rules_2_96 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame and Signal" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 98 - processors: - - label: dsx1line_status_change_rules_2_98 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Loss of Frame and Signal: Far-End LOF" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 128 - processors: - - label: dsx1line_status_change_rules_2_128 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Line Loopback" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value.string() == 256 - processors: - - label: dsx1line_status_change_rules_2_256 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Alarm Indication Signal (E1 TS16)" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 512 - processors: - - label: dsx1line_status_change_rules_2_512 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Far End TS16 Loss of Multiframe" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 1024 - processors: - - label: dsx1line_status_change_rules_2_1024 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 TS16 Loss of Multiframe" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 2048 - processors: - - label: dsx1line_status_change_rules_2_2048 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Test Code Detected" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value.string() == 4096 - processors: - - label: dsx1line_status_change_rules_2_4096 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Unknown Alarm" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value.string() == 8192 - processors: - - label: dsx1line_status_change_rules_2_8192 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Unavailable Signal State" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 16384 - processors: - - label: dsx1line_status_change_rules_2_16384 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Carrier Equipment Out of Service" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 32768 - processors: - - label: dsx1line_status_change_rules_2_32768 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS2 Payload Alarm Indication Signal" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 65536 - processors: - - label: dsx1line_status_change_rules_2_65536 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS2 Performance Threshold Exceeded" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - processors: - - label: dsx1line_status_change_rules_2_default - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS1 Line Multiple Alarms, dsx1LineStatus: " + this.trap.VarBinds.index(0).Value.string() - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - label: dsx1line_status_change_rules_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( " + root.out.object.name + " )" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/IETF/DS3-MIB-ds3Traps.yml b/traps/rules/IETF/DS3-MIB-ds3Traps.yml deleted file mode 100644 index 9c43b3a8..00000000 --- a/traps/rules/IETF/DS3-MIB-ds3Traps.yml +++ /dev/null @@ -1,177 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "DS3-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: dsx3line_status_change_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.dsx3LineStatus = this.trap.VarBinds.index(0).Value - root.out.IETF.dsx3LineStatusLastChange = this.trap.VarBinds.index(1).Value - - label: dsx3line_status_change_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-DS3-MIB-dsx3LineStatusChange" - root.out.event.id = "SNMPTRAP-IETF-DS3-MIB-dsx3LineStatusChange" - root.out.event.category.name = "DS3 Line Status" - root.out.object.name = "dsx3ConfigEntry.1" - - label: dsx3line_status_change_rules_2 - switch: - - check: this.trap.VarBinds.index(0).Value.string() == 1 - processors: - - label: dsx3line_status_change_rules_2_1 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Line Normal" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(0).Value.string() == 2 - processors: - - label: dsx3line_status_change_rules_2_2 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Far End Remote Alarm Indication" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 4 - processors: - - label: dsx3line_status_change_rules_2_4 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Remote Alarm Indication" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 8 - processors: - - label: dsx3line_status_change_rules_2_8 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Far End Alarm Indication Signal" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 16 - processors: - - label: dsx3line_status_change_rules_2_16 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Alarm Indication Signal" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 32 - processors: - - label: dsx3line_status_change_rules_2_32 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Loss of Frame" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 64 - processors: - - label: dsx3line_status_change_rules_2_64 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Loss of Signal" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 96 - processors: - - label: dsx3line_status_change_rules_2_96 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Loss of Frame and Signal" - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - check: this.trap.VarBinds.index(0).Value.string() == 128 - processors: - - label: dsx3line_status_change_rules_2_128 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Line Loopback" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value.string() == 256 - processors: - - label: dsx3line_status_change_rules_2_256 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Test Pattern Detected" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value.string() == 512 - processors: - - label: dsx3line_status_change_rules_2_512 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Unknown Alarm" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(0).Value.string() == 1024 - processors: - - label: dsx3line_status_change_rules_2_1024 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Unavailable Signal State" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(0).Value.string() == 2048 - processors: - - label: dsx3line_status_change_rules_2_2048 - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Carrier Equipment Out of Service" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - processors: - - label: dsx3line_status_change_rules_2_default - mapping: |- - #!blobl - root = this - - root.out.event.message = "DS3 Line Multiple Alarms, dsx3LineStatus: " + this.trap.VarBinds.index(0).Value.string() - root.out.event.severity.code = 2 - root.out.event.severity.level = "Critical" - - label: dsx3line_status_change_rules_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( " + root.out.object.name + " )" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/IETF/IPV6-MIB-ipv6NotificationPrefix.yml b/traps/rules/IETF/IPV6-MIB-ipv6NotificationPrefix.yml deleted file mode 100644 index 4e919520..00000000 --- a/traps/rules/IETF/IPV6-MIB-ipv6NotificationPrefix.yml +++ /dev/null @@ -1,97 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "IPV6-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: ipv6if_state_change_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.ipv6IfDescr = this.trap.VarBinds.index(0).Value.snmp_display_string() - root.out.IETF.ipv6IfOperStatus = this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.2.1.55.1.5.1.10") - - label: ipv6if_state_change_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-IPV6-MIB-ipv6IfStateChange" - root.out.event.id = "SNMPTRAP-IETF-IPV6-MIB-ipv6IfStateChange" - root.out.event.category.name = "IPv6 Interface Status" - root.out.object.name = "ipv6IfEntry.2" - - label: ipv6if_state_change_rules_2 - switch: - - check: this.trap.VarBinds.index(1).Value == 1 - processors: - - label: ipv6if_state_change_rules_2_1 - mapping: |- - #!blobl - root = this - - root.out.event.message = "IPv6 Interface Up" - root.out.event.severity.code = 5 - root.out.event.severity.level = "Notice" - - check: this.trap.VarBinds.index(1).Value == 2 - processors: - - label: ipv6if_state_change_rules_2_2 - mapping: |- - #!blobl - root = this - - root.out.event.message = "IPv6 Interface Down" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(1).Value == 3 - processors: - - label: ipv6if_state_change_rules_2_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = "IPv6 Interface Identifier Missing" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - check: this.trap.VarBinds.index(1).Value == 4 - processors: - - label: ipv6if_state_change_rules_2_4 - mapping: |- - #!blobl - root = this - - root.out.event.message = "IPv6 Interface Status Unknown" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.VarBinds.index(1).Value == 5 - processors: - - label: ipv6if_state_change_rules_2_5 - mapping: |- - #!blobl - root = this - - root.out.event.message = "IPv6 Interface Not Present" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - processors: - - label: ipv6if_state_change_rules_2_default - mapping: |- - #!blobl - root = this - - root.out.event.message = "IPv6 Interface Status Unknown" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - label: ipv6if_state_change_rules_3 - mapping: |- - #!blobl - root = this - - root.out.event.message = root.out.event.message + " ( " + this.trap.VarBinds.index(0).Value.snmp_display_string().string() + " )" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/IETF/VRRP-MIB-vrrpNotifications.yml b/traps/rules/IETF/VRRP-MIB-vrrpNotifications.yml deleted file mode 100644 index b0f7d243..00000000 --- a/traps/rules/IETF/VRRP-MIB-vrrpNotifications.yml +++ /dev/null @@ -1,53 +0,0 @@ -- mapping: |- - #!blobl - root = this - root.out.origin.agent.name = "VRRP-MIB" -- switch: - - check: this.trap.SpecificTrap == 1 - processors: - - label: vrrp_trap_new_master_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.vrrpOperMasterIpAddr = this.trap.VarBinds.index(0).Value - - label: vrrp_trap_new_master_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-VRRP-MIB-vrrpTrapNewMaster" - root.out.event.id = "SNMPTRAP-IETF-VRRP-MIB-vrrpTrapNewMaster" - root.out.event.category.name = "Master Status" - root.out.object.name = "vrrpOperEntry.." - root.out.event.message = "Router Transitioned to VRRP Master ( Master: " + this.trap.VarBinds.index(0).Value.string() + " )" - root.out.event.severity.code = 4 - root.out.event.severity.level = "Warning" - - check: this.trap.SpecificTrap == 2 - processors: - - label: vrrp_trap_auth_failure_variables - mapping: |- - #!blobl - root = this - - root.out.IETF.vrrpTrapPacketSrc = this.trap.VarBinds.index(0).Value - root.out.IETF.vrrpTrapAuthErrorType = this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.2.1.68.1.6") - - label: vrrp_trap_auth_failure_rules_1 - mapping: |- - #!blobl - root = this - - root.out.event.class.name = "SNMPTRAP-IETF-VRRP-MIB-vrrpTrapAuthFailure" - root.out.event.id = "SNMPTRAP-IETF-VRRP-MIB-vrrpTrapAuthFailure" - root.out.event.category.name = "Authentication Failure" - root.out.object.name = "From: " + this.trap.VarBinds.index(0).Value.string() - root.out.event.message = "VRRP " + this.trap.VarBinds.index(1).Value.enum_enrich(".1.3.6.1.2.1.68.1.6").string() + " ( " + root.out.object.name + " )" - root.out.event.severity.code = 3 - root.out.event.severity.level = "Error" - - processors: - - label: default - mapping: | - #!blobl - root = this - - root.out.event.category.name = "Unknown Trap" diff --git a/traps/rules/h3c/HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications.yml b/traps/rules/h3c/HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications.yml new file mode 100644 index 00000000..0c584f78 --- /dev/null +++ b/traps/rules/h3c/HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications.yml @@ -0,0 +1,429 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "H3C HH3C-SYS-MAN-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # hh3cSysClockChangedNotification + # + # A clock changed notification is generated when the current local date and time for the system has been manually + # changed. The value of hh3cSysLocalClock reflects new date and time. + # + # hh3cSysLocalClock (DateAndTime) - This node gives the current local time of the system. The unit of it is DateAndTime. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.1.1") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.h3c.hh3cSysLocalClock = this.trap.VarBinds.index(0).Value.snmp_date_and_time().ts_unix_milli() + + root.out.object.name = "HH3C-SYS-MAN-MIB::hh3cSysClock" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysClockChangedNotification" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysClockChangedNotification" + root.out.event.category.name = "system clock state" + root.out.event.message = "system clock changed, " + this.trap.VarBinds.index(0).Value.snmp_date_and_time() + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysClockChangedNotification" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysClockChangedNotification-unknown" + root.out.event.category.name = "system clock state" + root.out.event.message = "system clock changed - UNEXPECTED VARBINDS for hh3cSysClockChangedNotification trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 2 + # hh3cSysReloadNotification + # + # A hh3cSysReloadNotification will be sent before the corresponding entity is rebooted. It will also be sent if the + # entity fails to reboot because the clock has changed. + # + # hh3cSysReloadImage (Integer32) - The value indicates an entry in hh3cSysImageTable. + # hh3cSysReloadCfgFile (Integer32) - The value indicates an entry in hh3cSysCFGFileTable. + # hh3cSysReloadReason (DisplayString) - The reason of system's reloading. + # hh3cSysReloadScheduleTime (DateAndTime) - Specify the local time at which the reload action will occur. + # hh3cSysReloadAction (INTEGER) + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 4 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.3.3.1.4") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.3.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.3.3.1.5") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.3.3.1.6") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.3.2") { + meta varbinds_ok = true + }}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.h3c.hh3cSysReloadImage = this.trap.VarBinds.index(0).Value.string() + root.out.h3c.hh3cSysReloadCfgFile = this.trap.VarBinds.index(1).Value.string() + root.out.h3c.hh3cSysReloadReason = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.h3c.hh3cSysReloadScheduleTime = this.trap.VarBinds.index(3).Value.snmp_date_and_time().ts_unix_milli() + root.out.h3c.hh3cSysReloadAction = this.trap.VarBinds.index(4).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.25506.2.3.1.3.2") + + root.out.object.name = "HH3C-SYS-MAN-MIB::hh3cSysImageEntry" + root.out.object.index = root.out.h3c.hh3cSysReloadImage + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "image: hh3cSysReloadImage " + root.out.h3c.hh3cSysReloadImage + ", configuration: hh3cSysReloadCfgFile " + root.out.h3c.hh3cSysReloadCfgFile + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysReloadNotification" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysReloadNotification" + root.out.event.category.name = "system reload" + root.out.event.message = root.out.h3c.hh3cSysReloadAction + " system reload, " + root.out.h3c.hh3cSysReloadReason + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysReloadNotification" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysReloadNotification-unknown" + root.out.event.category.name = "system reload" + root.out.event.message = "system reload - UNEXPECTED VARBINDS for hh3cSysReloadNotification trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3 + # hh3cSysStartUpNotification + # + # a hh3cSysStartUpNotification trap will be sent when the system starts up with 'main' image file failed, a trap + # will be sent to indicate which type the current image file (I.e backup or secure) is. + # + # hh3cSysImageType (INTEGER) - It indicates the reloading sequence attribute of the image. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25506.2.3.1.4.2.1.5") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.h3c.hh3cSysImageType = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.3.6.1.4.1.25506.2.3.1.4.2.1.5") + + root.out.object.name = "HH3C-SYS-MAN-MIB::hh3cSysImageEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.4.1.25506.2.3.1.4.2.1.5") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "image: hh3cSysImageIndex " + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysStartUpNotification" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysStartUpNotification" + root.out.event.category.name = "system startup state" + root.out.event.message = "system startup, main image failed, using " + root.out.h3c.hh3cSysImageType + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysStartUpNotification" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-hh3cSysStartUpNotification-unknown" + root.out.event.category.name = "system startup state" + root.out.event.message = "system startup, main image failed - UNEXPECTED VARBINDS for hh3cSysStartUpNotification trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + }}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-unknown" + root.out.event.id = "SNMPTRAP-HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from H3C HH3C-SYS-MAN-MIB-hh3cSystemManMIBNotifications" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/ACCOUNTING-CONTROL-MIB-acctngNotifyPrefix.yml b/traps/rules/ietf/ACCOUNTING-CONTROL-MIB-acctngNotifyPrefix.yml similarity index 100% rename from traps/rules/IETF/ACCOUNTING-CONTROL-MIB-acctngNotifyPrefix.yml rename to traps/rules/ietf/ACCOUNTING-CONTROL-MIB-acctngNotifyPrefix.yml diff --git a/traps/rules/IETF/ADSL-LINE-MIB-adslAtucTraps.yml b/traps/rules/ietf/ADSL-LINE-MIB-adslAtucTraps.yml similarity index 100% rename from traps/rules/IETF/ADSL-LINE-MIB-adslAtucTraps.yml rename to traps/rules/ietf/ADSL-LINE-MIB-adslAtucTraps.yml diff --git a/traps/rules/IETF/ADSL-LINE-MIB-adslAturTraps.yml b/traps/rules/ietf/ADSL-LINE-MIB-adslAturTraps.yml similarity index 100% rename from traps/rules/IETF/ADSL-LINE-MIB-adslAturTraps.yml rename to traps/rules/ietf/ADSL-LINE-MIB-adslAturTraps.yml diff --git a/traps/rules/IETF/APS-MIB-apsNotificationsPrefix.yml b/traps/rules/ietf/APS-MIB-apsNotificationsPrefix.yml similarity index 100% rename from traps/rules/IETF/APS-MIB-apsNotificationsPrefix.yml rename to traps/rules/ietf/APS-MIB-apsNotificationsPrefix.yml diff --git a/traps/rules/IETF/BGP4-MIB-bgp.yml b/traps/rules/ietf/BGP4-MIB-bgp.yml similarity index 100% rename from traps/rules/IETF/BGP4-MIB-bgp.yml rename to traps/rules/ietf/BGP4-MIB-bgp.yml diff --git a/traps/rules/IETF/BGP4-MIB-bgpTraps.yml b/traps/rules/ietf/BGP4-MIB-bgpTraps.yml similarity index 100% rename from traps/rules/IETF/BGP4-MIB-bgpTraps.yml rename to traps/rules/ietf/BGP4-MIB-bgpTraps.yml diff --git a/traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml b/traps/rules/ietf/BRIDGE-MIB-dot1dBridge.yml similarity index 100% rename from traps/rules/IETF/BRIDGE-MIB-dot1dBridge.yml rename to traps/rules/ietf/BRIDGE-MIB-dot1dBridge.yml diff --git a/traps/rules/IETF/DIAL-CONTROL-MIB-dialControlMibTraps.yml b/traps/rules/ietf/DIAL-CONTROL-MIB-dialControlMibTraps.yml similarity index 100% rename from traps/rules/IETF/DIAL-CONTROL-MIB-dialControlMibTraps.yml rename to traps/rules/ietf/DIAL-CONTROL-MIB-dialControlMibTraps.yml diff --git a/traps/rules/ietf/DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix.yml b/traps/rules/ietf/DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix.yml new file mode 100644 index 00000000..58cdb2e5 --- /dev/null +++ b/traps/rules/ietf/DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix.yml @@ -0,0 +1,798 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF DISMAN-EVENT-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # mteTriggerFired + # + # Notification that the trigger indicated by the object instances has fired, for triggers with mteTriggerType + # 'boolean' or 'existence'. + # + # mteHotTrigger (SnmpAdminString) - The name of the trigger causing the notification. + # mteHotTargetName (SnmpAdminString) - The SNMP Target MIB's snmpTargetAddrName related to the notification. + # mteHotContextName (SnmpAdminString) - The context name related to the notification. + # mteHotOID (OBJECT IDENTIFIER) - The object identifier of the destination object related to the notification. + # mteHotValue (Integer32) - The value of the object at mteTriggerValueID when a trigger fired. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 4 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.88.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.88.2.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.88.2.1.3") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.2.1.88.2.1.4") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.2.1.88.2.1.5") { + meta varbinds_ok = true + }}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotOID = this.trap.VarBinds.index(3).Value + root.out.ietf.mteHotValue = this.trap.VarBinds.index(4).Value + + root.out.object.name = "DISMAN-EVENT-MIB::mteTrigger" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "trigger: " + root.out.ietf.mteHotTrigger + ", target: " + root.out.ietf.mteHotTargetName + ", context: " + root.out.ietf.mteHotContextName + ", OID: " + root.out.ietf.mteHotOID + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFired" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFired" + root.out.event.category.name = "event state" + root.out.event.message = "event fired, value: " + root.out.ietf.mteHotValue.string() + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFired" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFired-unknown" + root.out.event.category.name = "event state" + root.out.event.message = "event fired - UNEXPECTED VARBINDS for mteTriggerFired trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # mteTriggerRising + # + # Notification that the rising threshold was met for triggers with mteTriggerType 'threshold'. + # + # mteHotTrigger (SnmpAdminString) - The name of the trigger causing the notification. + # mteHotTargetName (SnmpAdminString) - The SNMP Target MIB's snmpTargetAddrName related to the notification. + # mteHotContextName (SnmpAdminString) - The context name related to the notification. + # mteHotOID (OBJECT IDENTIFIER) - The object identifier of the destination object related to the notification. + # mteHotValue (Integer32) - The value of the object at mteTriggerValueID when a trigger fired. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 4 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.88.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.88.2.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.88.2.1.3") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.2.1.88.2.1.4") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.2.1.88.2.1.5") { + meta varbinds_ok = true + }}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotOID = this.trap.VarBinds.index(3).Value + root.out.ietf.mteHotValue = this.trap.VarBinds.index(4).Value + + root.out.object.name = "DISMAN-EVENT-MIB::mteTrigger" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "trigger: " + root.out.ietf.mteHotTrigger + ", target: " + root.out.ietf.mteHotTargetName + ", context: " + root.out.ietf.mteHotContextName + ", OID: " + root.out.ietf.mteHotOID + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerRising" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerRising" + root.out.event.category.name = "event threshold" + root.out.event.message = "event threshold rising, value: " + root.out.ietf.mteHotValue.string() + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerRising" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerRising-unknown" + root.out.event.category.name = "event threshold" + root.out.event.message = "event threshold rising - UNEXPECTED VARBINDS for mteTriggerRising trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3 + # mteTriggerFalling + # + # Notification that the falling threshold was met for triggers with mteTriggerType 'threshold'. + # + # mteHotTrigger (SnmpAdminString) - The name of the trigger causing the notification. + # mteHotTargetName (SnmpAdminString) - The SNMP Target MIB's snmpTargetAddrName related to the notification. + # mteHotContextName (SnmpAdminString) - The context name related to the notification. + # mteHotOID (OBJECT IDENTIFIER) - The object identifier of the destination object related to the notification. + # mteHotValue (Integer32) - The value of the object at mteTriggerValueID when a trigger fired. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 4 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.88.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.88.2.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.88.2.1.3") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.2.1.88.2.1.4") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.2.1.88.2.1.5") { + meta varbinds_ok = true + }}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotOID = this.trap.VarBinds.index(3).Value + root.out.ietf.mteHotValue = this.trap.VarBinds.index(4).Value + + root.out.object.name = "DISMAN-EVENT-MIB::mteTrigger" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "trigger: " + root.out.ietf.mteHotTrigger + ", target: " + root.out.ietf.mteHotTargetName + ", context: " + root.out.ietf.mteHotContextName + ", OID: " + root.out.ietf.mteHotOID + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFalling" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFalling" + root.out.event.category.name = "event threshold" + root.out.event.message = "event threshold falling, value: " + root.out.ietf.mteHotValue.string() + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFalling" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFalling-unknown" + root.out.event.category.name = "event threshold" + root.out.event.message = "event threshold falling - UNEXPECTED VARBINDS for mteTriggerFalling trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 4 + # mteTriggerFailure + # + # Notification that an attempt to check a trigger has failed. + # + # mteHotTrigger (SnmpAdminString) - The name of the trigger causing the notification. + # mteHotTargetName (SnmpAdminString) - The SNMP Target MIB's snmpTargetAddrName related to the notification. + # mteHotContextName (SnmpAdminString) - The context name related to the notification. + # mteHotOID (OBJECT IDENTIFIER) - The object identifier of the destination object related to the notification. + # mteFailedReason (INTEGER) - The reason for the failure of an attempt to check for a trigger condition or set an + # object in response to an event. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 4 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.88.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.88.2.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.88.2.1.3") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.2.1.88.2.1.4") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.2.1.88.2.1.6") { + meta varbinds_ok = true + }}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotOID = this.trap.VarBinds.index(3).Value + root.out.ietf.mteFailedReason = this.trap.VarBinds.index(4).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.88.2.1.6") + + root.out.object.name = "DISMAN-EVENT-MIB::mteTrigger" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "trigger: " + root.out.ietf.mteHotTrigger + ", target: " + root.out.ietf.mteHotTargetName + ", context: " + root.out.ietf.mteHotContextName + ", OID: " + root.out.ietf.mteHotOID + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFailure" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFailure" + root.out.event.category.name = "event trigger state" + root.out.event.message = "event trigger failed, " + root.out.ietf.mteFailedReason + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFailure" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteTriggerFailure-unknown" + root.out.event.category.name = "event trigger state" + root.out.event.message = "event trigger failed - UNEXPECTED VARBINDS for mteTriggerFailure trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: this.trap.SpecificTrap == 5 + # mteEventSetFailure + # + # Notification that an attempt to do a set in response to an event has failed. + # + # mteHotTrigger (SnmpAdminString) - The name of the trigger causing the notification. + # mteHotTargetName (SnmpAdminString) - The SNMP Target MIB's snmpTargetAddrName related to the notification. + # mteHotContextName (SnmpAdminString) - The context name related to the notification. + # mteHotOID (OBJECT IDENTIFIER) - The object identifier of the destination object related to the notification. + # mteFailedReason (INTEGER) - The reason for the failure of an attempt to check for a trigger condition or set an + # object in response to an event. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 4 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.88.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.88.2.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.88.2.1.3") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.2.1.88.2.1.4") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.2.1.88.2.1.6") { + meta varbinds_ok = true + }}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.mteHotTrigger = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotTargetName = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotContextName = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.ietf.mteHotOID = this.trap.VarBinds.index(3).Value + root.out.ietf.mteFailedReason = this.trap.VarBinds.index(4).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.88.2.1.6") + + root.out.object.name = "DISMAN-EVENT-MIB::mteTrigger" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "trigger: " + root.out.ietf.mteHotTrigger + ", target: " + root.out.ietf.mteHotTargetName + ", context: " + root.out.ietf.mteHotContextName + ", OID: " + root.out.ietf.mteHotOID + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteEventSetFailure" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteEventSetFailure" + root.out.event.category.name = "event response state" + root.out.event.message = "event response failed, " + root.out.ietf.mteFailedReason + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteEventSetFailure" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-mteEventSetFailure-unknown" + root.out.event.category.name = "event response state" + root.out.event.message = "event response failed - UNEXPECTED VARBINDS for mteEventSetFailure trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + }}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-unknown" + root.out.event.id = "SNMPTRAP-DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF DISMAN-EVENT-MIB-dismanEventMIBNotificationPrefix" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/DISMAN-PING-MIB-pingNotifications.yml b/traps/rules/ietf/DISMAN-PING-MIB-pingNotifications.yml similarity index 100% rename from traps/rules/IETF/DISMAN-PING-MIB-pingNotifications.yml rename to traps/rules/ietf/DISMAN-PING-MIB-pingNotifications.yml diff --git a/traps/rules/IETF/DISMAN-SCHEDULE-MIB-schedTraps.yml b/traps/rules/ietf/DISMAN-SCHEDULE-MIB-schedTraps.yml similarity index 100% rename from traps/rules/IETF/DISMAN-SCHEDULE-MIB-schedTraps.yml rename to traps/rules/ietf/DISMAN-SCHEDULE-MIB-schedTraps.yml diff --git a/traps/rules/IETF/DISMAN-SCRIPT-MIB-smTraps.yml b/traps/rules/ietf/DISMAN-SCRIPT-MIB-smTraps.yml similarity index 100% rename from traps/rules/IETF/DISMAN-SCRIPT-MIB-smTraps.yml rename to traps/rules/ietf/DISMAN-SCRIPT-MIB-smTraps.yml diff --git a/traps/rules/IETF/DISMAN-TRACEROUTE-MIB-traceRouteNotifications.yml b/traps/rules/ietf/DISMAN-TRACEROUTE-MIB-traceRouteNotifications.yml similarity index 100% rename from traps/rules/IETF/DISMAN-TRACEROUTE-MIB-traceRouteNotifications.yml rename to traps/rules/ietf/DISMAN-TRACEROUTE-MIB-traceRouteNotifications.yml diff --git a/traps/rules/IETF/DLSW-MIB-dlswTraps.yml b/traps/rules/ietf/DLSW-MIB-dlswTraps.yml similarity index 100% rename from traps/rules/IETF/DLSW-MIB-dlswTraps.yml rename to traps/rules/ietf/DLSW-MIB-dlswTraps.yml diff --git a/traps/rules/IETF/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmTraps.yml b/traps/rules/ietf/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmTraps.yml similarity index 100% rename from traps/rules/IETF/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmTraps.yml rename to traps/rules/ietf/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmTraps.yml diff --git a/traps/rules/IETF/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmtsTraps.yml b/traps/rules/ietf/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmtsTraps.yml similarity index 100% rename from traps/rules/IETF/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmtsTraps.yml rename to traps/rules/ietf/DOCS-CABLE-DEVICE-TRAP-MIB-docsDevCmtsTraps.yml diff --git a/traps/rules/ietf/DS1-MIB-ds1Traps.yml b/traps/rules/ietf/DS1-MIB-ds1Traps.yml new file mode 100644 index 00000000..3f8afc89 --- /dev/null +++ b/traps/rules/ietf/DS1-MIB-ds1Traps.yml @@ -0,0 +1,312 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF DS1-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # dsx1LineStatusChange + # + # A dsx1LineStatusChange trap is sent when the value of an instance dsx1LineStatus changes. + # + # dsx1LineStatus (INTEGER) - This variable indicates the line status of the interface. + # dsx1LineStatusLastChange (TimeTicks) - The value of MIB II's sysUpTime object at the time this DS1 entered its + # current line status state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.10.18.6.1.10") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.10.18.6.1.16") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta dsx1LineStatus = this.trap.VarBinds.index(0).Value + + root.out.ietf.dsx1LineStatus = this.trap.VarBinds.index(0).Value + root.out.ietf.dsx1LineStatusLastChange = this.trap.VarBinds.index(1).Value + + root.TEMP.alarms = "" + if root.out.ietf.dsx1LineStatus.bitwise_and(1) == 1 || root.out.ietf.dsx1LineStatus == 0 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "no alarm" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(2) == 2 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "far-end LOF" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(4) == 4 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end sending LOF" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(8) == 8 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "far-end sending AIS" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(16) == 16 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end sending AIS" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(32) == 32 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end LOF" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(64) == 64 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end LOS" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(128) == 128 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end looped" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(256) == 256 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "E1 TS16 AIS" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(512) == 512 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "far-end sending TS16 LOMF" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(1024) == 1024 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end sending TS16 LOMF" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(2048) == 2048 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end detects test code" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(4096) == 4096 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "other" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(8192) == 8192 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end unavailable" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(16384) == 16384 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "carrier equipment out-of-service" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(32768) == 32768 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "DS2 payload AIS" + } + if root.out.ietf.dsx1LineStatus.bitwise_and(65536) == 65536 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "DS2 performance threshold exceeded" + } + + root.out.object.name = "DS1-MIB::dsx1ConfigEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.10.18.6.1.10") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: dsx1LineIndex " + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-DS1-MIB-ds1Traps-dsx1LineStatusChange" + root.out.event.id = "SNMPTRAP-DS1-MIB-ds1Traps-dsx1LineStatusChange" + root.out.event.category.name = "DS1/E1 line state" + + - switch: + - check: metadata("dsx1LineStatus") < 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-ok" + root.out.event.message = "DS1/E1 line OK: " + root.TEMP.alarms + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-alarm" + root.out.event.message = "DS1/E1 line alarm: " + root.TEMP.alarms + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-DS1-MIB-ds1Traps-dsx1LineStatusChange" + root.out.event.id = "SNMPTRAP-DS1-MIB-ds1Traps-dsx1LineStatusChange-unknown" + root.out.event.category.name = "DS1/E1 line state" + root.out.event.message = "DS1/E1 line state change - UNEXPECTED VARBINDS for dsx1LineStatusChange trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DS1-MIB-ds1Traps-unknown" + root.out.event.id = "SNMPTRAP-DS1-MIB-ds1Traps-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF DS1-MIB-ds1Traps" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/ietf/DS3-MIB-ds3Traps.yml b/traps/rules/ietf/DS3-MIB-ds3Traps.yml new file mode 100644 index 00000000..dd4def31 --- /dev/null +++ b/traps/rules/ietf/DS3-MIB-ds3Traps.yml @@ -0,0 +1,282 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF DS3-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # dsx3LineStatusChange + # + # A dsx3LineStatusChange trap is sent when the value of an instance of dsx3LineStatus changes. + # + # dsx3LineStatus (INTEGER) - This variable indicates the Line Status of the interface. + # dsx3LineStatusLastChange (TimeTicks) - The value of MIB II's sysUpTime object at the time this DS3/E3 entered its + # current line status state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.10.30.5.1.10") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.10.30.5.1.14") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta dsx3LineStatus = this.trap.VarBinds.index(0).Value + + root.out.ietf.dsx3LineStatus = this.trap.VarBinds.index(0).Value + root.out.ietf.dsx3LineStatusLastChange = this.trap.VarBinds.index(1).Value + + root.TEMP.alarms = "" + if root.out.ietf.dsx3LineStatus.bitwise_and(1) == 1 || root.out.ietf.dsx3LineStatus == 0 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "no alarm" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(2) == 2 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "receiving yellow/remote AIS" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(4) == 4 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "transmitting yellow/remote AIS" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(8) == 8 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "receiving AIS" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(16) == 16 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "transmitting AIS" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(32) == 32 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "receiving LOF" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(64) == 64 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "receiving LOS" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(128) == 128 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "looping received signal" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(256) == 256 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "receiving test pattern" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(512) == 512 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "other" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(1024) == 1024 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "near-end unavailable" + } + if root.out.ietf.dsx3LineStatus.bitwise_and(2048) == 2048 { + if root.TEMP.alarms.length() > 0 { + root.TEMP.alarms = root.TEMP.alarms + ", " + } + root.TEMP.alarms = root.TEMP.alarms + "carrier equipment out-of-service" + } + + root.out.object.name = "DS3-MIB::dsx3ConfigEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.10.30.5.1.10") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: dsx3LineIndex " + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-DS3-MIB-ds3Traps-dsx3LineStatusChange" + root.out.event.id = "SNMPTRAP-DS3-MIB-ds3Traps-dsx3LineStatusChange" + root.out.event.category.name = "DS3/E3 line state" + + - switch: + - check: metadata("dsx3LineStatus") < 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-ok" + root.out.event.message = "DS3/E3 line OK: " + root.TEMP.alarms + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-alarm" + root.out.event.message = "DS3/E3 line alarm: " + root.TEMP.alarms + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-DS3-MIB-ds3Traps-dsx3LineStatusChange" + root.out.event.id = "SNMPTRAP-DS3-MIB-ds3Traps-dsx3LineStatusChange-unknown" + root.out.event.category.name = "DS3/E3 line state" + root.out.event.message = "DS3/E3 line state change - UNEXPECTED VARBINDS for dsx3LineStatusChange trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-DS3-MIB-ds3Traps-unknown" + root.out.event.id = "SNMPTRAP-DS3-MIB-ds3Traps-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF DS3-MIB-ds3Traps" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/DVMRP-MIB-dvmrpTraps.yml b/traps/rules/ietf/DVMRP-MIB-dvmrpTraps.yml similarity index 100% rename from traps/rules/IETF/DVMRP-MIB-dvmrpTraps.yml rename to traps/rules/ietf/DVMRP-MIB-dvmrpTraps.yml diff --git a/traps/rules/IETF/ENTITY-MIB-entityMIBTrapPrefix.yml b/traps/rules/ietf/ENTITY-MIB-entityMIBTrapPrefix.yml similarity index 100% rename from traps/rules/IETF/ENTITY-MIB-entityMIBTrapPrefix.yml rename to traps/rules/ietf/ENTITY-MIB-entityMIBTrapPrefix.yml diff --git a/traps/rules/IETF/FCMGMT-MIB-fcmgmt.yml b/traps/rules/ietf/FCMGMT-MIB-fcmgmt.yml similarity index 100% rename from traps/rules/IETF/FCMGMT-MIB-fcmgmt.yml rename to traps/rules/ietf/FCMGMT-MIB-fcmgmt.yml diff --git a/traps/rules/IETF/FIBRE-CHANNEL-MGMT-MIB-fcMgmtNotifications.yml b/traps/rules/ietf/FIBRE-CHANNEL-MGMT-MIB-fcMgmtNotifications.yml similarity index 100% rename from traps/rules/IETF/FIBRE-CHANNEL-MGMT-MIB-fcMgmtNotifications.yml rename to traps/rules/ietf/FIBRE-CHANNEL-MGMT-MIB-fcMgmtNotifications.yml diff --git a/traps/rules/ietf/FRAME-RELAY-DTE-MIB-frameRelayDTE.yml b/traps/rules/ietf/FRAME-RELAY-DTE-MIB-frameRelayDTE.yml new file mode 100644 index 00000000..53abdf4c --- /dev/null +++ b/traps/rules/ietf/FRAME-RELAY-DTE-MIB-frameRelayDTE.yml @@ -0,0 +1,305 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF FRAME-RELAY-DTE-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # frDLCIStatusChange + # + # This trap indicates that the indicated Virtual Circuit has changed state. + # + # RFC-1315: + # frCircuitIfIndex (INTEGER) - The ifIndex Value of the ifEntry this virtual circuit is layered onto. + # frCircuitDlci (INTEGER) - The Data Link Connection Identifier for this virtual circuit. + # frCircuitState (INTEGER) - Indicates whether the particular virtual circuit is operational. + # + # RFC-2115: + # frCircuitState (INTEGER) - Indicates whether the particular virtual circuit is operational. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds = "unexpected" + if this.trap.VarBinds.length() > 2 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.10.32.2.1.1") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.10.32.2.1.2") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.2.1.10.32.2.1.3") { + meta varbinds = "rfc1315" + }}}} else if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.10.32.2.1.3") { + meta varbinds = "rfc2115" + }} + + - switch: + - check: metadata("varbinds") == "rfc2115" + processors: + - mapping: |- + #!blobl + root = this + + meta frCircuitState = this.trap.VarBinds.index(0).Value + + root.out.ietf.frCircuitState = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.10.32.2.1.3") + + root.out.object.name = "FRAME-RELAY-DTE-MIB::frCircuitEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.10.32.2.1.3") + root.TEMP.frCircuitEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer") + root.out.ietf.frCircuitIfIndex = root.TEMP.frCircuitEntry.index(0).string() + root.out.ietf.frCircuitDlci = root.TEMP.frCircuitEntry.index(1).string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ietf.frCircuitIfIndex + ", DLCI: " + root.out.ietf.frCircuitDlci + + root.out.event.class.name = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-frDLCIStatusChange" + root.out.event.id = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-frDLCIStatusChange" + root.out.event.category.name = "frame relay DLCI state" + + - switch: + - check: metadata("frCircuitState") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-invalid" + root.out.event.message = "frame relay DLCI invalid" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("frCircuitState") == 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-active" + root.out.event.message = "frame relay DLCI active" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - check: metadata("frCircuitState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-inactive" + root.out.event.message = "frame relay DLCI inactive" + root.out.event.severity.code = 2 + root.out.event.severity.level = "Critical" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "frame relay DLCI state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - check: metadata("varbinds") == "rfc1315" + processors: + - mapping: |- + #!blobl + root = this + + meta frCircuitState = this.trap.VarBinds.index(2).Value + + root.out.ietf.frCircuitIfIndex = this.trap.VarBinds.index(0).Value.string() + root.out.ietf.frCircuitDlci = this.trap.VarBinds.index(1).Value.string() + root.out.ietf.frCircuitState = this.trap.VarBinds.index(2).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.10.32.2.1.3") + + root.out.object.name = "FRAME-RELAY-DTE-MIB::frCircuitEntry" + root.out.object.index = this.trap.VarBinds.index(2).OID.snmp_oid_get_index(".1.3.6.1.2.1.10.32.2.1.3") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ietf.frCircuitIfIndex + ", DLCI: " + root.out.ietf.frCircuitDlci + + root.out.event.class.name = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-frDLCIStatusChange" + root.out.event.id = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-frDLCIStatusChange" + root.out.event.category.name = "frame relay DLCI state" + + - switch: + - check: metadata("frCircuitState") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-invalid" + root.out.event.message = "frame relay DLCI invalid" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("frCircuitState") == 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-active" + root.out.event.message = "frame relay DLCI active" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - check: metadata("frCircuitState") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-inactive" + root.out.event.message = "frame relay DLCI inactive" + root.out.event.severity.code = 2 + root.out.event.severity.level = "Critical" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "frame relay DLCI state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-frDLCIStatusChange" + root.out.event.id = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-frDLCIStatusChange-unknown" + root.out.event.category.name = "frame relay DLCI state" + root.out.event.message = "frame relay DLCI state change - UNEXPECTED VARBINDS for frDLCIStatusChange trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-unknown" + root.out.event.id = "SNMPTRAP-FRAME-RELAY-DTE-MIB-frameRelayDTE-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF FRAME-RELAY-DTE-MIB-frameRelayDTE" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/HC-ALARM-MIB-hcAlarmNotifPrefix.yml b/traps/rules/ietf/HC-ALARM-MIB-hcAlarmNotifPrefix.yml similarity index 100% rename from traps/rules/IETF/HC-ALARM-MIB-hcAlarmNotifPrefix.yml rename to traps/rules/ietf/HC-ALARM-MIB-hcAlarmNotifPrefix.yml diff --git a/traps/rules/IETF/HDSL2-SHDSL-LINE-MIB-hdsl2ShdslNotifications.yml b/traps/rules/ietf/HDSL2-SHDSL-LINE-MIB-hdsl2ShdslNotifications.yml similarity index 100% rename from traps/rules/IETF/HDSL2-SHDSL-LINE-MIB-hdsl2ShdslNotifications.yml rename to traps/rules/ietf/HDSL2-SHDSL-LINE-MIB-hdsl2ShdslNotifications.yml diff --git a/traps/rules/ietf/IPV6-MIB-ipv6Notifications.yml b/traps/rules/ietf/IPV6-MIB-ipv6Notifications.yml new file mode 100644 index 00000000..21c9af49 --- /dev/null +++ b/traps/rules/ietf/IPV6-MIB-ipv6Notifications.yml @@ -0,0 +1,240 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF IPV6-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # ipv6IfStateChange + # + # An ipv6IfStateChange notification signifies that there has been a change in the state of an ipv6 interface. + # + # ipv6IfDescr (DisplayString) - A textual string containing information about the interface. + # ipv6IfOperStatus (INTEGER) - The current operational state of the interface. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.55.1.5.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.55.1.5.1.10") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + meta ipv6IfOperStatus = this.trap.VarBinds.index(1).Value + + root.out.ietf.ipv6IfDescr = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.ietf.ipv6IfOperStatus = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.55.1.5.1.10") + + root.out.object.name = "IPV6-MIB::ipv6IfEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.55.1.5.1.2") + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: " + root.out.ietf.ipv6IfDescr + + root.out.event.class.name = "SNMPTRAP-IPV6-MIB-ipv6Notifications-ipv6IfStateChange" + root.out.event.id = "SNMPTRAP-IPV6-MIB-ipv6Notifications-ipv6IfStateChange" + root.out.event.category.name = "IPv6 interface state" + + - switch: + - check: metadata("ipv6IfOperStatus") == 1 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-up" + root.out.event.message = "IPv6 interface up" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - check: metadata("ipv6IfOperStatus") == 2 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-down" + root.out.event.message = "IPv6 interface down" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("ipv6IfOperStatus") == 3 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-noIfIdentifier" + root.out.event.message = "IPv6 interface no identifier" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - check: metadata("ipv6IfOperStatus") == 5 + processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-notPresent" + root.out.event.message = "IPv6 interface not present" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - mapping: |- + #!blobl + root = this + + root.out.event.id = root.out.event.id + "-unknown" + root.out.event.message = "IPv6 interface state unknown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-IPV6-MIB-ipv6Notifications-ipv6IfStateChange" + root.out.event.id = "SNMPTRAP-IPV6-MIB-ipv6Notifications-ipv6IfStateChange-unknown" + root.out.event.category.name = "IPv6 interface state" + root.out.event.message = "IPv6 interface state change - UNEXPECTED VARBINDS for ipv6IfStateChange trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-IPV6-MIB-ipv6Notifications-unknown" + root.out.event.id = "SNMPTRAP-IPV6-MIB-ipv6Notifications-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF IPV6-MIB-ipv6Notifications" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/ISDN-MIB-isdnMibTraps.yml b/traps/rules/ietf/ISDN-MIB-isdnMibTraps.yml similarity index 100% rename from traps/rules/IETF/ISDN-MIB-isdnMibTraps.yml rename to traps/rules/ietf/ISDN-MIB-isdnMibTraps.yml diff --git a/traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml b/traps/rules/ietf/MAU-MIB-snmpDot3MauMgt.yml similarity index 100% rename from traps/rules/IETF/MAU-MIB-snmpDot3MauMgt.yml rename to traps/rules/ietf/MAU-MIB-snmpDot3MauMgt.yml diff --git a/traps/rules/IETF/MIP-MIB-mipMIBNotifications.yml b/traps/rules/ietf/MIP-MIB-mipMIBNotifications.yml similarity index 100% rename from traps/rules/IETF/MIP-MIB-mipMIBNotifications.yml rename to traps/rules/ietf/MIP-MIB-mipMIBNotifications.yml diff --git a/traps/rules/IETF/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml b/traps/rules/ietf/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml similarity index 100% rename from traps/rules/IETF/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml rename to traps/rules/ietf/MPLS-LSR-STD-MIB-mplsLsrNotifications.yml diff --git a/traps/rules/IETF/MPLS-TE-STD-MIB-mplsTeNotifications.yml b/traps/rules/ietf/MPLS-TE-STD-MIB-mplsTeNotifications.yml similarity index 100% rename from traps/rules/IETF/MPLS-TE-STD-MIB-mplsTeNotifications.yml rename to traps/rules/ietf/MPLS-TE-STD-MIB-mplsTeNotifications.yml diff --git a/traps/rules/IETF/MPLS-VPN-MIB-mplsVpnNotifications.yml b/traps/rules/ietf/MPLS-VPN-MIB-mplsVpnNotifications.yml similarity index 100% rename from traps/rules/IETF/MPLS-VPN-MIB-mplsVpnNotifications.yml rename to traps/rules/ietf/MPLS-VPN-MIB-mplsVpnNotifications.yml diff --git a/traps/rules/IETF/MSDP-MIB-msdpTraps.yml b/traps/rules/ietf/MSDP-MIB-msdpTraps.yml similarity index 100% rename from traps/rules/IETF/MSDP-MIB-msdpTraps.yml rename to traps/rules/ietf/MSDP-MIB-msdpTraps.yml diff --git a/traps/rules/IETF/NAT-MIB-natMIB.yml b/traps/rules/ietf/NAT-MIB-natMIB.yml similarity index 100% rename from traps/rules/IETF/NAT-MIB-natMIB.yml rename to traps/rules/ietf/NAT-MIB-natMIB.yml diff --git a/traps/rules/IETF/OSPF-TRAP-MIB-ospfTraps.yml b/traps/rules/ietf/OSPF-TRAP-MIB-ospfTraps.yml similarity index 100% rename from traps/rules/IETF/OSPF-TRAP-MIB-ospfTraps.yml rename to traps/rules/ietf/OSPF-TRAP-MIB-ospfTraps.yml diff --git a/traps/rules/IETF/Printer-MIB-printerV1Alert.yml b/traps/rules/ietf/Printer-MIB-printerV1Alert.yml similarity index 100% rename from traps/rules/IETF/Printer-MIB-printerV1Alert.yml rename to traps/rules/ietf/Printer-MIB-printerV1Alert.yml diff --git a/traps/rules/ietf/RBRIDGE-MIB-rbridgeMIB.yml b/traps/rules/ietf/RBRIDGE-MIB-rbridgeMIB.yml new file mode 100644 index 00000000..b945d78c --- /dev/null +++ b/traps/rules/ietf/RBRIDGE-MIB-rbridgeMIB.yml @@ -0,0 +1,243 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF RBRIDGE-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # rbridgeBaseNewDrb + # + # The rbridgeBaseNewDrb notification indicates that the sending agent has become the new Designated RBridge; the + # notification is sent by an RBridge soon after its election as the new DRB root, e.g., upon expiration of the + # Topology Change Timer, immediately subsequent to its election. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() == 0 { + meta varbinds_ok = true + } + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "RBRIDGE-MIB::rbridgeMIB" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseNewDrb" + root.out.event.id = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseNewDrb" + root.out.event.category.name = "Designated RBridge election" + root.out.event.message = "elected new Designated RBridge" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseNewDrb" + root.out.event.id = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseNewDrb-unknown" + root.out.event.category.name = "Designated RBridge election" + root.out.event.message = "elected new Designated RBridge - UNEXPECTED VARBINDS for rbridgeBaseNewDrb trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - check: this.trap.SpecificTrap == 2 + # rbridgeBaseTopologyChange + # + # The rbridgeBaseTopologyChange notification is sent by an RBridge when any of its configured ports transition + # to/from the VLAN-x designated forwarder. The notification is not sent if an rbridgeBaseNewDrb notification is sent + # for the same transition. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() == 0 { + meta varbinds_ok = true + } + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "RBRIDGE-MIB::rbridgeMIB" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseTopologyChange" + root.out.event.id = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseTopologyChange" + root.out.event.category.name = "RBridge topology change" + root.out.event.message = "RBridge port transitioned to/from VLAN-x designated forwarder" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseTopologyChange" + root.out.event.id = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-rbridgeBaseTopologyChange-unknown" + root.out.event.category.name = "RBridge topology change" + root.out.event.message = "RBridge port transitioned to/from VLAN-x designated forwarder - UNEXPECTED VARBINDS for rbridgeBaseTopologyChange trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-unknown" + root.out.event.id = "SNMPTRAP-RBRIDGE-MIB-rbridgeMIB-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF RBRIDGE-MIB-rbridgeMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/RDBMS-MIB-rdbmsTraps.yml b/traps/rules/ietf/RDBMS-MIB-rdbmsTraps.yml similarity index 100% rename from traps/rules/IETF/RDBMS-MIB-rdbmsTraps.yml rename to traps/rules/ietf/RDBMS-MIB-rdbmsTraps.yml diff --git a/traps/rules/IETF/RFC1382-MIB-x25.yml b/traps/rules/ietf/RFC1382-MIB-x25.yml similarity index 100% rename from traps/rules/IETF/RFC1382-MIB-x25.yml rename to traps/rules/ietf/RFC1382-MIB-x25.yml diff --git a/traps/rules/IETF/RMON-MIB-rmonEventsV2.yml b/traps/rules/ietf/RMON-MIB-rmonEventsV2.yml similarity index 100% rename from traps/rules/IETF/RMON-MIB-rmonEventsV2.yml rename to traps/rules/ietf/RMON-MIB-rmonEventsV2.yml diff --git a/traps/rules/IETF/RSVP-MIB-rsvpNotifications.yml b/traps/rules/ietf/RSVP-MIB-rsvpNotifications.yml similarity index 100% rename from traps/rules/IETF/RSVP-MIB-rsvpNotifications.yml rename to traps/rules/ietf/RSVP-MIB-rsvpNotifications.yml diff --git a/traps/rules/IETF/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml b/traps/rules/ietf/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml similarity index 100% rename from traps/rules/IETF/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml rename to traps/rules/ietf/SNMP-REPEATER-MIB-snmpDot3RptrMgt.yml diff --git a/traps/rules/IETF/SNMPv2-M2M-MIB-snmpAlarmNotifications.yml b/traps/rules/ietf/SNMPv2-M2M-MIB-snmpAlarmNotifications.yml similarity index 100% rename from traps/rules/IETF/SNMPv2-M2M-MIB-snmpAlarmNotifications.yml rename to traps/rules/ietf/SNMPv2-M2M-MIB-snmpAlarmNotifications.yml diff --git a/traps/rules/ietf/T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB.yml b/traps/rules/ietf/T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB.yml new file mode 100644 index 00000000..5818e9a5 --- /dev/null +++ b/traps/rules/ietf/T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB.yml @@ -0,0 +1,605 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF T11-FC-FABRIC-ADDR-MGR-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # t11FamDomainIdNotAssignedNotify + # + # This notification indicates that a Domain_ID has not been configured or assigned for a particular Fabric, + # identified by t11FamNotifyFabricIndex, on a particular switch identified by t11FamLocalSwitchWwn. This could + # happen if the switch's request for a configured static Domain_ID is rejected or no other Domain_ID is assigned, + # then the E_Ports are isolated. + # + # t11FamLocalSwitchWwn + # t11FamNotifyFabricIndex + processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-t11FamDomainIdNotAssignedNotify" + root.out.event.id = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-t11FamDomainIdNotAssignedNotify-unknown" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.category.name = "unhandled specific trap" + root.out.event.message = "t11FamDomainIdNotAssignedNotify - unhandled specific trap from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # t11FamNewPrincipalSwitchNotify + # + # This notification indicates that a particular switch, identified by t11FamLocalSwitchWwn, has become the new + # Principal Switch on the Fabric identified by t11FamNotifyFabricIndex. This notification is sent soon after its + # election as the new Principal Switch, i.e., upon expiration of a Principal Switch selection timer that is equal to + # twice the Fabric Stability Timeout value (F_S_TOV). + # + # t11FamLocalSwitchWwn + # t11FamNotifyFabricIndex + processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-t11FamNewPrincipalSwitchNotify" + root.out.event.id = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-t11FamNewPrincipalSwitchNotify-unknown" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.category.name = "unhandled specific trap" + root.out.event.message = "t11FamNewPrincipalSwitchNotify - unhandled specific trap from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3 + # t11FamFabricChangeNotify + # + # This notification is sent whenever a particular switch, identified by t11FamLocalSwitchWwn, sends or receives a + # Build Fabric (BF) or a ReConfigure Fabric (RCF) message on the Fabric identified by t11FamNotifyFabricIndex. This + # notification is not sent if a 't11FamNewPrincipalSwitchNotify' notification is sent for the same event. + # + # t11FamLocalSwitchWwn + # t11FamNotifyFabricIndex + processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-t11FamFabricChangeNotify" + root.out.event.id = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-t11FamFabricChangeNotify-unknown" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.category.name = "unhandled specific trap" + root.out.event.message = "t11FamFabricChangeNotify - unhandled specific trap from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-unknown" + root.out.event.id = "SNMPTRAP-T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF T11-FC-FABRIC-ADDR-MGR-MIB-t11FcFabricAddrMgrMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/UPS-MIB-upsTraps.yml b/traps/rules/ietf/UPS-MIB-upsTraps.yml similarity index 100% rename from traps/rules/IETF/UPS-MIB-upsTraps.yml rename to traps/rules/ietf/UPS-MIB-upsTraps.yml diff --git a/traps/rules/ietf/VRRP-MIB-vrrpMIB.yml b/traps/rules/ietf/VRRP-MIB-vrrpMIB.yml new file mode 100644 index 00000000..dbcaffbd --- /dev/null +++ b/traps/rules/ietf/VRRP-MIB-vrrpMIB.yml @@ -0,0 +1,283 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF VRRP-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # vrrpTrapNewMaster + # + # The newMaster trap indicates that the sending agent has transitioned to 'Master' state. + # + # vrrpOperMasterIpAddr (IpAddress) - The master router's real (primary) IP address. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.68.1.3.1.7") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.vrrpOperMasterIpAddr = this.trap.VarBinds.index(0).Value + + root.out.object.name = "VRRP-MIB::vrrpOperEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.68.1.3.1.7") + root.TEMP.vrrpOperEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer") + root.out.ietf.ifIndex = root.TEMP.vrrpOperEntry.index(0).string() + root.out.ietf.vrrpOperVrId = root.TEMP.vrrpOperEntry.index(1).string() + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "router: " + root.out.ietf.vrrpOperMasterIpAddr + ", interface: ifIndex " + root.out.ietf.ifIndex + ", VRID: " + root.out.ietf.vrrpOperVrId + + root.out.event.class.name = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapNewMaster" + root.out.event.id = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapNewMaster" + root.out.event.category.name = "VRRP master state" + root.out.event.message = "transitioned to VRRP master" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapNewMaster" + root.out.event.id = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapNewMaster-unknown" + root.out.event.category.name = "VRRP master state" + root.out.event.message = "transitioned to VRRP master - UNEXPECTED VARBINDS for vrrpTrapNewMaster trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # vrrpTrapAuthFailure + # + # A vrrpAuthFailure trap signifies that a packet has been received from a router whose authentication key or + # authentication type conflicts with this router's authentication key or authentication type. Implementation of this + # trap is optional. + # + # vrrpTrapPacketSrc (IpAddress) - The IP address of an inbound VRRP packet. + # vrrpTrapAuthErrorType (INTEGER) - Potential types of configuration conflicts. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.68.1.5") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.68.1.6") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.vrrpTrapPacketSrc = this.trap.VarBinds.index(0).Value + root.out.ietf.vrrpTrapAuthErrorType = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.68.1.6") + + root.out.object.name = "VRRP-MIB::vrrpOperations" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "from: " + root.out.ietf.vrrpTrapPacketSrc + + root.out.event.class.name = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapAuthFailure" + root.out.event.id = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapAuthFailure" + root.out.event.category.name = "VRRP authentication state" + root.out.event.message = "VRRP authentication failure, " + root.out.ietf.vrrpTrapAuthErrorType + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapAuthFailure" + root.out.event.id = "SNMPTRAP-VRRP-MIB-vrrpMIB-vrrpTrapAuthFailure-unknown" + root.out.event.category.name = "VRRP authentication state" + root.out.event.message = "VRRP authentication failure - UNEXPECTED VARBINDS for vrrpTrapAuthFailure trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-VRRP-MIB-vrrpMIB-unknown" + root.out.event.id = "SNMPTRAP-VRRP-MIB-vrrpMIB-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF VRRP-MIB-vrrpMIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/ietf/VRRPV3-MIB-vrrpv3MIB.yml b/traps/rules/ietf/VRRPV3-MIB-vrrpv3MIB.yml new file mode 100644 index 00000000..51e10bd3 --- /dev/null +++ b/traps/rules/ietf/VRRPV3-MIB-vrrpv3MIB.yml @@ -0,0 +1,287 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "IETF VRRPV3-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # vrrpv3NewMaster + # + # The newMaster notification indicates that the sending agent has transitioned to master state. + # + # vrrpv3OperationsMasterIpAddr (InetAddress) - The master router's real IP address. + # vrrpv3StatisticsNewMasterReason (INTEGER) - This indicates the reason for the virtual router to transition to master state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 1 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.207.1.1.1.1.3") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.2.1.207.1.2.5.1.2") { + meta varbinds_ok = true + }}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.vrrpv3StatisticsNewMasterReason = this.trap.VarBinds.index(1).Value.snmp_int_enum_enrich("1.3.6.1.2.1.207.1.2.5.1.2") + + root.out.object.name = "VRRPV3-MIB::vrrpv3OperationsEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index("1.3.6.1.2.1.207.1.1.1.1.3") + root.TEMP.vrrpv3OperationsEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer,Integer") + root.out.ietf.ifIndex = root.TEMP.vrrpv3OperationsEntry.index(0).string() + root.out.ietf.vrrpv3OperationsVrId = root.TEMP.vrrpv3OperationsEntry.index(1).string() + root.out.ietf.vrrpv3OperationsInetAddrType = root.TEMP.vrrpv3OperationsEntry.index(2) + root.out.ietf.vrrpv3OperationsMasterIpAddr = this.trap.VarBinds.index(0).Value.snmp_inet_address(root.out.ietf.vrrpv3OperationsInetAddrType) + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "router: " + root.out.ietf.vrrpv3OperationsMasterIpAddr + ", interface: ifIndex " + root.out.ietf.ifIndex + ", VRID: " + root.out.ietf.vrrpv3OperationsVrId + + root.out.event.class.name = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3NewMaster" + root.out.event.id = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3NewMaster" + root.out.event.category.name = "VRRP master state" + root.out.event.message = "transitioned to VRRP master" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notice" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + }}}}} + + root.out.event.class.name = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3NewMaster" + root.out.event.id = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3NewMaster-unknown" + root.out.event.category.name = "VRRP master state" + root.out.event.message = "transitioned to VRRP master - UNEXPECTED VARBINDS for vrrpv3NewMaster trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2 + # vrrpv3ProtoError + # + # The notification indicates that the sending agent has encountered the protocol error indicated by + # vrrpv3StatisticsProtoErrReason. + # + # vrrpv3StatisticsProtoErrReason (INTEGER) - This indicates the reason for the last protocol error. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 0 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.2.1.207.1.2.5.1.6") { + meta varbinds_ok = true + }} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.ietf.vrrpv3StatisticsProtoErrReason = this.trap.VarBinds.index(0).Value.snmp_int_enum_enrich(".1.3.6.1.2.1.207.1.2.5.1.6") + + root.out.object.name = "VRRPV3-MIB::vrrpv3OperationsEntry" + root.out.object.index = this.trap.VarBinds.index(0).OID.snmp_oid_get_index(".1.3.6.1.2.1.207.1.2.5.1.6") + root.TEMP.vrrpv3OperationsEntry = root.out.object.index.snmp_oid_extract_index("Integer,Integer,Integer") + root.out.ietf.ifIndex = root.TEMP.vrrpv3OperationsEntry.index(0).string() + root.out.ietf.vrrpv3OperationsVrId = root.TEMP.vrrpv3OperationsEntry.index(1).string() + root.out.ietf.vrrpv3OperationsInetAddrType = root.TEMP.vrrpv3OperationsEntry.index(2) + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.out.object.label = "interface: ifIndex " + root.out.ietf.ifIndex + ", VRID: " + root.out.ietf.vrrpv3OperationsVrId + + root.out.event.class.name = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3ProtoError" + root.out.event.id = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3ProtoError" + root.out.event.category.name = "VRRP protocol state" + root.out.event.message = "VRRP protocol error, " + root.out.ietf.vrrpv3StatisticsProtoErrReason + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + }}}} + + root.out.event.class.name = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3ProtoError" + root.out.event.id = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-vrrpv3ProtoError-unknown" + root.out.event.category.name = "VRRP protocol state" + root.out.event.message = "VRRP protocol error - UNEXPECTED VARBINDS for vrrpv3ProtoError trap!" + root.out.event.severity.code = 3 + root.out.event.severity.level = "Error" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-unknown" + root.out.event.id = "SNMPTRAP-VRRPV3-MIB-vrrpv3MIB-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from IETF VRRPV3-MIB-vrrpv3MIB" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/IETF/XGCP-MIB-xgcpNotifications.yml b/traps/rules/ietf/XGCP-MIB-xgcpNotifications.yml similarity index 100% rename from traps/rules/IETF/XGCP-MIB-xgcpNotifications.yml rename to traps/rules/ietf/XGCP-MIB-xgcpNotifications.yml diff --git a/traps/rules/netsnmp/NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix.yml b/traps/rules/netsnmp/NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix.yml new file mode 100644 index 00000000..648923a7 --- /dev/null +++ b/traps/rules/netsnmp/NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix.yml @@ -0,0 +1,295 @@ + +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "NET-SNMP NET-SNMP-AGENT-MIB" +- switch: + - check: this.trap.SpecificTrap == 1 + # nsNotifyStart + # + # An indication that the agent has started running. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() == 0 { + meta varbinds_ok = true + } + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "NET-SNMP-MIB::netSnmp" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyStart" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyStart" + root.out.event.category.name = "SNMP agent state" + root.out.event.message = "SNMP agent started" + root.out.event.severity.code = 6 + root.out.event.severity.level = "Informational" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + }}} + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyStart" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyStart-unknown" + root.out.event.category.name = "SNMP agent state" + root.out.event.message = "SNMP agent started - UNEXPECTED VARBINDS for nsNotifyStart trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notify" + + - check: this.trap.SpecificTrap == 2 + # nsNotifyShutdown + # + # An indication that the agent is in the process of being shut down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() == 0 { + meta varbinds_ok = true + } + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "NET-SNMP-MIB::netSnmp" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyShutdown" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyShutdown" + root.out.event.category.name = "SNMP agent state" + root.out.event.message = "SNMP agent shutdown" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + }}} + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyShutdown" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyShutdown-unknown" + root.out.event.category.name = "SNMP agent state" + root.out.event.message = "SNMP agent shutdown - UNEXPECTED VARBINDS for nsNotifyShutdown trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3 + # nsNotifyRestart + # + # An indication that the agent has been restarted. This does not imply anything about whether the configuration has + # changed or not (unlike the standard coldStart or warmStart traps) + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() == 0 { + meta varbinds_ok = true + } + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.object.name = "NET-SNMP-MIB::netSnmp" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyRestart" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyRestart" + root.out.event.category.name = "SNMP agent state" + root.out.event.message = "SNMP agent restarted" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notify" + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + }}} + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyRestart" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-nsNotifyRestart-unknown" + root.out.event.category.name = "SNMP agent state" + root.out.event.message = "SNMP agent restarted - UNEXPECTED VARBINDS for nsNotifyRestart trap!" + root.out.event.severity.code = 5 + root.out.event.severity.level = "Notify" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + }}}}}}}} + + root.out.event.class.name = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-unknown" + root.out.event.id = "SNMPTRAP-NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from NET-SNMP NET-SNMP-AGENT-MIB-netSnmpNotificationPrefix" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" diff --git a/traps/rules/paloalto/PAN-TRAPS-panCommonEventEvents.yml b/traps/rules/paloalto/PAN-TRAPS-panCommonEventEvents.yml new file mode 100644 index 00000000..15d9c2a5 --- /dev/null +++ b/traps/rules/paloalto/PAN-TRAPS-panCommonEventEvents.yml @@ -0,0 +1,208811 @@ +- mapping: |- + #!blobl + root = this + root.out.origin.agent.name = "Palo Alto PAN-TRAPS" +- switch: + # - check: this.trap.SpecificTrap == 2 + # # panConfigTrap + # # + # # A configuratioon event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panHost (IpAddress) - Host address of PAN device that generated the event.This field is deprecated. Please use hostinetaddrtype and hostinetaddr. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panConfigCmd (OCTET STRING) - Configuration command. + # # panConfigAdmin (OCTET STRING) - Admin name who issued configuration command. + # # panConfigClient (OCTET STRING) - Configuration client that generated command. + # # panConfigResult (OCTET STRING) - Configuration command execution result success/failure. + # # panConfigPath (OCTET STRING) - Configuration path. + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.6") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.150") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.151") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.152") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.153") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.154") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panConfigTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panConfigTrap" + # root.out.event.category.name = "unhandled specific trap" + # root.out.event.message = "panConfigTrap - unhandled specific trap from VENDOR MIBNAME-ENTERPRISE" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panConfigTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panConfigTrap-unknown" + # root.out.event.category.name = "panConfigTrap" + # root.out.event.message = "panConfigTrap - UNEXPECTED VARBINDS for panConfigTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 3 + # # panTrafficTrap + # # + # # A traffic event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panSource (OCTET STRING) - Original session source IP address. + # # panDestination (OCTET STRING) - Original session destination IP address. + # # panNatSource (OCTET STRING) - If Source NAT performed, the post-NAT Source IP address. + # # panNatDestination (OCTET STRING) - If Destination NAT performed, the post-NAT Destination IP address. + # # panRule (OCTET STRING) - Name of the rule that the session matched. + # # panSrcUser (OCTET STRING) - User name of the user that initiated the session. + # # panDstUser (OCTET STRING) - User name of the user to which the session was destined. + # # panApplication (OCTET STRING) - Application associated with the session. + # # panSourceZone (OCTET STRING) - Zone the session was sourced from. + # # panDestinationZone (OCTET STRING) - Zone the session was destined to. + # # panIngressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panEgressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panSessionID (Counter32) - An internal numerical identifier applied to each session. + # # panRepeatCount (Counter32) - Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; Used for ICMP only. + # # panSourcePort (Counter32) - Source port utilized by the session. + # # panDestinationPort (Counter32) - Destination port utilized by the session. + # # panNatSourcePort (Counter32) - Post-NAT source port. + # # panNatDestinationPort (Counter32) - Post-NAT destination port. + # # panFlags (OCTET STRING) - 32 bit field that provides details on session. + # # panProtocol (OCTET STRING) - IP protocol associated with the session + # # panAction (OCTET STRING) - Action taken for the session; Values are allow or deny + # # panTimeGenerated (OCTET STRING) - Time the log was generated on the data plane + # # panSrcloc (OCTET STRING) - Source country or Internal region for private addresses. Maximum length is 32 bytes. + # # panDstloc (OCTET STRING) - Destination country or Internal region for private addresses. Maximum length is 32 bytes. + # # panXffInetAddrType (InetAddressType) - Original session X-Forwarded-For IP address type + # # panXffInetAddr (InetAddress) - Original session X-Forwarded-For IP address. + # # panSourceUUID (OCTET STRING) - Source VM UUID for NSX. Maximum length is 36 bytes. + # # panDestinationUUID (OCTET STRING) - Destination VM UUID for NSX. Maximum length is 36 bytes. + # # panRuleUUID (OCTET STRING) - Rule UUID for NSX. Maximum length is 36 bytes. + # # panTunnel (INTEGER) - Types of Tunnel; Values are n/a, gre, ipsec, gtp, gtpu and vxlan. + # # panTrafficBytes (Counter64) - Number of total bytes (transmit and receive) for the session. + # # panTrafficPackets (Counter32) - Number of total packets (transmit and receive) for the session. + # # panTrafficStartTime (OCTET STRING) - Time of session start. + # # panTrafficElapsed (TimeTicks) - Elapsed time of the session. + # # panTrafficCategory (OCTET STRING) - URL category associated with the session (if applicable). + # # panTrafficSessionEndReason (OCTET STRING) - Session end reason. + # # panTrafficTunnelID (Counter64) - Tunnel ID. + # # panTrafficImsi (Counter64) - IMSI. + # # panTrafficMonitorTag (OCTET STRING) - Monitor Tag. + # # panTrafficImei (OCTET STRING) - IMEI. + # # panTrafficParentSessionId (Counter32) - Parent Session ID. + # # panTrafficParentStartTime (Counter32) - Parent Start Time. + # # panTrafficSrcDevCat (OCTET STRING) - Source Device Cateogry. + # # panTrafficDstDevCat (OCTET STRING) - Destination Device Cateogry. + # # panTrafficSrcDevPro (OCTET STRING) - Source Device Profiles. + # # panTrafficDstDevPro (OCTET STRING) - Destination Device Profiles. + # # panTrafficSrcDevMod (OCTET STRING) - Source Device Model. + # # panTrafficDstDevMod (OCTET STRING) - Destination Device Model. + # # panTrafficSrcDevVen (OCTET STRING) - Source Device Vendor. + # # panTrafficDstDevVen (OCTET STRING) - Destination Device Vendor. + # # panTrafficSrcOSFam (OCTET STRING) - Source Operating System Family. + # # panTrafficDstOSFam (OCTET STRING) - Destination Operating System. + # # panTrafficSrcOSVer (OCTET STRING) - Source Operating System Version. + # # panTrafficDstOSVer (OCTET STRING) - Destination Operating Version. + # # panTrafficSrcHost (OCTET STRING) - Source Hostname. + # # panTrafficDstHost (OCTET STRING) - Destination Hostname. + # # panTrafficSrcMAC (OCTET STRING) - Source MAC address. + # # panTrafficDstMAC (OCTET STRING) - Destination MAC address. + # # panContainerId (OCTET STRING) - Container ID + # # panPodNamespace (OCTET STRING) - POD Namespace + # # panPodName (OCTET STRING) - POD Name + # # panHostId (OCTET STRING) - Host ID + # # panSerialNo (OCTET STRING) - Serial Number + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.50") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.51") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.52") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.53") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.54") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.55") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.56") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.57") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.58") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.59") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.60") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.61") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.62") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.63") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.64") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.65") { + # if this.trap.VarBinds.index(24).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.66") { + # if this.trap.VarBinds.index(25).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.67") { + # if this.trap.VarBinds.index(26).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.68") { + # if this.trap.VarBinds.index(27).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.69") { + # if this.trap.VarBinds.index(28).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.70") { + # if this.trap.VarBinds.index(29).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.71") { + # if this.trap.VarBinds.index(30).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.72") { + # if this.trap.VarBinds.index(31).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.73") { + # if this.trap.VarBinds.index(32).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.74") { + # if this.trap.VarBinds.index(33).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.87") { + # if this.trap.VarBinds.index(34).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.88") { + # if this.trap.VarBinds.index(35).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.83") { + # if this.trap.VarBinds.index(36).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.84") { + # if this.trap.VarBinds.index(37).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.86") { + # if this.trap.VarBinds.index(38).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.85") { + # if this.trap.VarBinds.index(39).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.100") { + # if this.trap.VarBinds.index(40).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.101") { + # if this.trap.VarBinds.index(41).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.102") { + # if this.trap.VarBinds.index(42).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.103") { + # if this.trap.VarBinds.index(43).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.104") { + # if this.trap.VarBinds.index(44).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.105") { + # if this.trap.VarBinds.index(45).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.106") { + # if this.trap.VarBinds.index(46).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.107") { + # if this.trap.VarBinds.index(47).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.108") { + # if this.trap.VarBinds.index(48).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.109") { + # if this.trap.VarBinds.index(49).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.110") { + # if this.trap.VarBinds.index(50).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.111") { + # if this.trap.VarBinds.index(51).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.112") { + # if this.trap.VarBinds.index(52).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.113") { + # if this.trap.VarBinds.index(53).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.114") { + # if this.trap.VarBinds.index(54).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.115") { + # if this.trap.VarBinds.index(55).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.118") { + # if this.trap.VarBinds.index(56).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.119") { + # if this.trap.VarBinds.index(57).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.116") { + # if this.trap.VarBinds.index(58).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.117") { + # if this.trap.VarBinds.index(59).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.120") { + # if this.trap.VarBinds.index(60).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.121") { + # if this.trap.VarBinds.index(61).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.122") { + # if this.trap.VarBinds.index(62).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.123") { + # if this.trap.VarBinds.index(63).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.124") { + # if this.trap.VarBinds.index(64).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.125") { + # if this.trap.VarBinds.index(65).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.126") { + # if this.trap.VarBinds.index(66).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.127") { + # if this.trap.VarBinds.index(67).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.89") { + # if this.trap.VarBinds.index(68).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.90") { + # if this.trap.VarBinds.index(69).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.91") { + # if this.trap.VarBinds.index(70).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.92") { + # if this.trap.VarBinds.index(71).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.93") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTrafficTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTrafficTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTrafficTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTrafficTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panTrafficTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 4 + # # panThreatTrap + # # + # # A threat/URL event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panSource (OCTET STRING) - Original session source IP address. + # # panDestination (OCTET STRING) - Original session destination IP address. + # # panNatSource (OCTET STRING) - If Source NAT performed, the post-NAT Source IP address. + # # panNatDestination (OCTET STRING) - If Destination NAT performed, the post-NAT Destination IP address. + # # panRule (OCTET STRING) - Name of the rule that the session matched. + # # panSrcUser (OCTET STRING) - User name of the user that initiated the session. + # # panDstUser (OCTET STRING) - User name of the user to which the session was destined. + # # panApplication (OCTET STRING) - Application associated with the session. + # # panSourceZone (OCTET STRING) - Zone the session was sourced from. + # # panDestinationZone (OCTET STRING) - Zone the session was destined to. + # # panIngressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panEgressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panSessionID (Counter32) - An internal numerical identifier applied to each session. + # # panRepeatCount (Counter32) - Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; Used for ICMP only. + # # panSourcePort (Counter32) - Source port utilized by the session. + # # panDestinationPort (Counter32) - Destination port utilized by the session. + # # panNatSourcePort (Counter32) - Post-NAT source port. + # # panNatDestinationPort (Counter32) - Post-NAT destination port. + # # panFlags (OCTET STRING) - 32 bit field that provides details on session. + # # panProtocol (OCTET STRING) - IP protocol associated with the session + # # panAction (OCTET STRING) - Action taken for the session; Values are allow or deny + # # panTimeGenerated (OCTET STRING) - Time the log was generated on the data plane + # # panXffInetAddrType (InetAddressType) - Original session X-Forwarded-For IP address type + # # panXffInetAddr (InetAddress) - Original session X-Forwarded-For IP address. + # # panSrcloc (OCTET STRING) - Source country or Internal region for private addresses. Maximum length is 32 bytes. + # # panDstloc (OCTET STRING) - Destination country or Internal region for private addresses. Maximum length is 32 bytes. + # # panSourceUUID (OCTET STRING) - Source VM UUID for NSX. Maximum length is 36 bytes. + # # panDestinationUUID (OCTET STRING) - Destination VM UUID for NSX. Maximum length is 36 bytes. + # # panRuleUUID (OCTET STRING) - Rule UUID for NSX. Maximum length is 36 bytes. + # # panTunnel (INTEGER) - Types of Tunnel; Values are n/a, gre, ipsec, gtp, gtpu and vxlan. + # # panThreatId (OCTET STRING) - Palo Alto Networks identifier for the threat. It is a numerical identifier followed by a description in parenthesis for some Subtypes. + # # panThreatCategory (OCTET STRING) - Provides URL Category for URL Subtype; For other subtypes the value is 'any'. + # # panThreatContentType (OCTET STRING) - Content type of the HTTP response data. Maximum length 32 bytes. Applicable only when Subtype is URL. + # # panThreatSeverity (INTEGER) - Severity associated with the threat; Values are informational, low, medium, high, critical. + # # panThreatDirection (INTEGER) - Indicates the direction of the attack, 'client-to-server' or 'server-to-client'. + # # panMiscellaneous (OCTET STRING) - The actual URI when the subtype is URL; File name or file type when the subtype is file; and File name when the subtype is virus. + # # panPcapId (Counter64) - A 64-bit unsigned integer denoting an ID that correlates threat pcaps with extended pcaps. + # # panFileDigest (OCTET STRING) - A hash of the file that was sent to the Wildfire cloud. + # # panCloud (OCTET STRING) - FQDN of the Wildfire cloud that analyzed the file. + # # panUrlIndex (INTEGER) - Url Index for correlating related logs. + # # panUserAgent (OCTET STRING) - User Agent field in HTTP header. + # # panXff (OCTET STRING) - X-Forwarded-For field in HTTP header. + # # panReferer (OCTET STRING) - Referer field in HTTP header. + # # panSender (OCTET STRING) - Sender field in email header. + # # panSubject (OCTET STRING) - Subject field in email header. + # # panRecipient (OCTET STRING) - Recipient field in email header. + # # panFileType (OCTET STRING) - File type in WildFire Submissions log. + # # panReportId (OCTET STRING) - Palo Alto Networks identifier for the report. + # # panHttpMethod (INTEGER) - Http method for correlating related logs. + # # panThreatTunnelID (Counter64) - Tunned ID. + # # panThreatImsi (Counter64) - IMSI. + # # panThreatMonitorTag (OCTET STRING) - Monitor Tag. + # # panThreatImei (OCTET STRING) - IMEI. + # # panThreatParentSessionId (Counter32) - Parent Session ID. + # # panThreatParentStartTime (Counter32) - Parent Start Time. + # # panThrCategory (Counter32) - Provides Category. + # # panThreatSrcDevCat (OCTET STRING) - Source Device Category. + # # panThreatDstDevCat (OCTET STRING) - Destination Device Category. + # # panThreatSrcDevPro (OCTET STRING) - Source Device Profile. + # # panThreatDstDevPro (OCTET STRING) - Destination Device Profile. + # # panThreatSrcDevMod (OCTET STRING) - Source Device Model. + # # panThreatDstDevMod (OCTET STRING) - Destination Device Model. + # # panThreatSrcDevVen (OCTET STRING) - Source Device Vendor. + # # panThreatDstDevVen (OCTET STRING) - Destination Device Vendor. + # # panThreatSrcOSFam (OCTET STRING) - Source Operating System Family. + # # panThreatDstOSFam (OCTET STRING) - Destination Operating System Family. + # # panThreatSrcOSVer (OCTET STRING) - Source Operating System Version. + # # panThreatDstOSVer (OCTET STRING) - Destination Operating System Version. + # # panThreatSrcHost (OCTET STRING) - Source Hostname. + # # panThreatDstHost (OCTET STRING) - Destination Hostname. + # # panThreatSrcMAC (Counter64) - Source MAC address. + # # panThreatDstMAC (Counter64) - Destination MAC address. + # # panContainerId (OCTET STRING) - Container ID + # # panPodNamespace (OCTET STRING) - POD Namespace + # # panPodName (OCTET STRING) - POD Name + # # panHostId (OCTET STRING) - Host ID + # # panSerialNo (OCTET STRING) - Serial Number + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.50") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.51") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.52") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.53") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.54") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.55") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.56") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.57") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.58") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.59") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.60") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.61") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.62") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.63") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.64") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.65") { + # if this.trap.VarBinds.index(24).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.66") { + # if this.trap.VarBinds.index(25).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.67") { + # if this.trap.VarBinds.index(26).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.68") { + # if this.trap.VarBinds.index(27).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.69") { + # if this.trap.VarBinds.index(28).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.70") { + # if this.trap.VarBinds.index(29).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.71") { + # if this.trap.VarBinds.index(30).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.72") { + # if this.trap.VarBinds.index(31).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.87") { + # if this.trap.VarBinds.index(32).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.88") { + # if this.trap.VarBinds.index(33).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.73") { + # if this.trap.VarBinds.index(34).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.74") { + # if this.trap.VarBinds.index(35).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.83") { + # if this.trap.VarBinds.index(36).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.84") { + # if this.trap.VarBinds.index(37).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.86") { + # if this.trap.VarBinds.index(38).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.85") { + # if this.trap.VarBinds.index(39).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.200") { + # if this.trap.VarBinds.index(40).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.201") { + # if this.trap.VarBinds.index(41).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.202") { + # if this.trap.VarBinds.index(42).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.203") { + # if this.trap.VarBinds.index(43).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.204") { + # if this.trap.VarBinds.index(44).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.205") { + # if this.trap.VarBinds.index(45).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.206") { + # if this.trap.VarBinds.index(46).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.207") { + # if this.trap.VarBinds.index(47).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.208") { + # if this.trap.VarBinds.index(48).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.209") { + # if this.trap.VarBinds.index(49).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.210") { + # if this.trap.VarBinds.index(50).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.211") { + # if this.trap.VarBinds.index(51).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.212") { + # if this.trap.VarBinds.index(52).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.213") { + # if this.trap.VarBinds.index(53).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.214") { + # if this.trap.VarBinds.index(54).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.215") { + # if this.trap.VarBinds.index(55).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.216") { + # if this.trap.VarBinds.index(56).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.217") { + # if this.trap.VarBinds.index(57).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.218") { + # if this.trap.VarBinds.index(58).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.219") { + # if this.trap.VarBinds.index(59).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.220") { + # if this.trap.VarBinds.index(60).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.221") { + # if this.trap.VarBinds.index(61).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.222") { + # if this.trap.VarBinds.index(62).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.223") { + # if this.trap.VarBinds.index(63).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.224") { + # if this.trap.VarBinds.index(64).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.225") { + # if this.trap.VarBinds.index(65).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.226") { + # if this.trap.VarBinds.index(66).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.227") { + # if this.trap.VarBinds.index(67).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.228") { + # if this.trap.VarBinds.index(68).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.229") { + # if this.trap.VarBinds.index(69).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.232") { + # if this.trap.VarBinds.index(70).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.233") { + # if this.trap.VarBinds.index(71).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.230") { + # if this.trap.VarBinds.index(72).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.231") { + # if this.trap.VarBinds.index(73).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.234") { + # if this.trap.VarBinds.index(74).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.235") { + # if this.trap.VarBinds.index(75).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.236") { + # if this.trap.VarBinds.index(76).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.237") { + # if this.trap.VarBinds.index(77).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.238") { + # if this.trap.VarBinds.index(78).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.239") { + # if this.trap.VarBinds.index(79).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.240") { + # if this.trap.VarBinds.index(80).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.241") { + # if this.trap.VarBinds.index(67).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.89") { + # if this.trap.VarBinds.index(68).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.90") { + # if this.trap.VarBinds.index(69).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.91") { + # if this.trap.VarBinds.index(70).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.92") { + # if this.trap.VarBinds.index(71).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.93") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panThreatTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panThreatTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panThreatTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panThreatTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panThreatTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 5 + # # panHipMatchTrap + # # + # # A Hipmatch event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panHipSourceUser (OCTET STRING) - User name of the Source user. + # # panHipMachineName (OCTET STRING) - Name of the Users machine. + # # panHipMatch (OCTET STRING) - Name of the HIP Object or Profile. + # # panHipMatchType (OCTET STRING) - Specifies whether the HIP field represents a HIP Object or a HIP Profile. + # # panHipRepeatCount (Counter32) - Number of times the HIP profile matched. + # # panHipOS (OCTET STRING) - String representing the operating system of the client. + # # panHipSourceIPv6 (OCTET STRING) - HIP Match source IPv6. This field is deprecated. Please use panHipSourceInetAddrType and panHipSourceInetAddr. + # # panHipMAC (Counter64) - HIP Match Device MAC address + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.250") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.251") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.253") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.254") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.255") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.256") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.259") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.262") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHipMatchTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHipMatchTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHipMatchTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHipMatchTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panHipMatchTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 6 + # # panGtpTrap + # # + # # A Tunnel/GTP event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panSource (OCTET STRING) - Original session source IP address. + # # panDestination (OCTET STRING) - Original session destination IP address. + # # panNatSource (OCTET STRING) - If Source NAT performed, the post-NAT Source IP address. + # # panNatDestination (OCTET STRING) - If Destination NAT performed, the post-NAT Destination IP address. + # # panRule (OCTET STRING) - Name of the rule that the session matched. + # # panSrcUser (OCTET STRING) - User name of the user that initiated the session. + # # panDstUser (OCTET STRING) - User name of the user to which the session was destined. + # # panApplication (OCTET STRING) - Application associated with the session. + # # panSourceZone (OCTET STRING) - Zone the session was sourced from. + # # panDestinationZone (OCTET STRING) - Zone the session was destined to. + # # panIngressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panEgressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panSessionID (Counter32) - An internal numerical identifier applied to each session. + # # panRepeatCount (Counter32) - Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; Used for ICMP only. + # # panSourcePort (Counter32) - Source port utilized by the session. + # # panDestinationPort (Counter32) - Destination port utilized by the session. + # # panNatSourcePort (Counter32) - Post-NAT source port. + # # panNatDestinationPort (Counter32) - Post-NAT destination port. + # # panFlags (OCTET STRING) - 32 bit field that provides details on session. + # # panProtocol (OCTET STRING) - IP protocol associated with the session + # # panAction (OCTET STRING) - Action taken for the session; Values are allow or deny + # # panTimeGenerated (OCTET STRING) - Time the log was generated on the data plane + # # panSrcloc (OCTET STRING) - Source country or Internal region for private addresses. Maximum length is 32 bytes. + # # panDstloc (OCTET STRING) - Destination country or Internal region for private addresses. Maximum length is 32 bytes. + # # panXffInetAddrType (InetAddressType) - Original session X-Forwarded-For IP address type + # # panXffInetAddr (InetAddress) - Original session X-Forwarded-For IP address. + # # panTunnel (INTEGER) - Types of Tunnel; Values are n/a, gre, ipsec, gtp, gtpu and vxlan. + # # panGtpParentSessionId (Counter32) - Parent Session ID. + # # panGtpParentStartTime (Counter32) - Parent Start Time. + # # panGtpMsisdn (OCTET STRING) - Mobile Subscriber ISDN Number (MSISDN). + # # panGtpApn (OCTET STRING) - Access point name (APN). + # # panGtpRat (OCTET STRING) - RAT. + # # panGtpMsgType (OCTET STRING) - Message Type. + # # panGtpTunnelID (Counter64) - Tunned ID. + # # panGtpImsi (Counter64) - IMSI. + # # panGtpMonitorTag (OCTET STRING) - Monitor Tag. + # # panGtpImei (OCTET STRING) - IMEI. + # # panGtpInterface (OCTET STRING) - GTP interface. + # # panGtpCauseCode (OCTET STRING) - GTP Cause Code. + # # panGtpEventType (OCTET STRING) - GTP Event Type. + # # panGtpSeverity (INTEGER) - Severity associated with the gtp; Values are informational, low, medium, high, critical. + # # panGtpMcc (Counter32) - Mobile country code. + # # panGtpMnc (Counter32) - Mobile network code. + # # panGtpEventCode (Counter32) - Event code. + # # panGtpBytes (Counter64) - Number of total bytes (transmit and receive) for the session. + # # panGtpPackets (Counter32) - Number of total packets (transmit and receive) for the session. + # # panGtpMaxEncap (Counter32) - Packets dropped due to maximum encapsulation level reached. + # # panGtpUnknownProto (Counter32) - Packets dropped due to unknown protocol seen. + # # panGtpStrictCheck (Counter32) - Packets dropped due to failure to meet RFC strict header checking. + # # panGtpTunnelFragment (Counter32) - Packets dropped due to fragmentation errors. + # # panGtpSessionsCreated (Counter32) - Number of inner sessions created for time duration. + # # panGtpSessionsClosed (Counter32) - Number of completed closed/ended inner sessions for time duration. + # # panGtpSessionEndReason (OCTET STRING) - Session end reason. + # # panGtpActionSource (OCTET STRING) - Action source. + # # panGtpStartTime (OCTET STRING) - Time of session start. + # # panGtpElapsed (TimeTicks) - Elapsed time of the session. + # # panGtpTCIRule (OCTET STRING) - Name of the tunnel content inspection rule that the session matched. + # # panGtpRemoteUserIp (InetAddress) - Remote User IP address for GTP IoT. + # # panGtpRemoteUserId (Counter64) - Remote User ID for GTP IoT. + # # panRuleUUID (OCTET STRING) - Rule UUID for NSX. Maximum length is 36 bytes. + # # panContainerId (OCTET STRING) - Container ID + # # panPodNamespace (OCTET STRING) - POD Namespace + # # panPodName (OCTET STRING) - POD Name + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.50") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.51") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.52") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.53") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.54") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.55") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.56") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.57") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.58") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.59") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.60") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.61") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.62") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.63") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.64") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.65") { + # if this.trap.VarBinds.index(24).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.66") { + # if this.trap.VarBinds.index(25).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.67") { + # if this.trap.VarBinds.index(26).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.68") { + # if this.trap.VarBinds.index(27).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.69") { + # if this.trap.VarBinds.index(28).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.70") { + # if this.trap.VarBinds.index(29).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.71") { + # if this.trap.VarBinds.index(30).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.72") { + # if this.trap.VarBinds.index(31).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.73") { + # if this.trap.VarBinds.index(32).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.74") { + # if this.trap.VarBinds.index(33).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.87") { + # if this.trap.VarBinds.index(34).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.88") { + # if this.trap.VarBinds.index(35).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.85") { + # if this.trap.VarBinds.index(36).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.404") { + # if this.trap.VarBinds.index(37).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.405") { + # if this.trap.VarBinds.index(38).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.406") { + # if this.trap.VarBinds.index(39).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.407") { + # if this.trap.VarBinds.index(40).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.408") { + # if this.trap.VarBinds.index(41).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.409") { + # if this.trap.VarBinds.index(42).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.400") { + # if this.trap.VarBinds.index(43).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.401") { + # if this.trap.VarBinds.index(44).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.402") { + # if this.trap.VarBinds.index(45).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.403") { + # if this.trap.VarBinds.index(46).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.414") { + # if this.trap.VarBinds.index(47).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.415") { + # if this.trap.VarBinds.index(48).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.416") { + # if this.trap.VarBinds.index(49).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.417") { + # if this.trap.VarBinds.index(50).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.418") { + # if this.trap.VarBinds.index(51).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.419") { + # if this.trap.VarBinds.index(52).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.422") { + # if this.trap.VarBinds.index(53).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.423") { + # if this.trap.VarBinds.index(54).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.424") { + # if this.trap.VarBinds.index(55).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.425") { + # if this.trap.VarBinds.index(56).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.426") { + # if this.trap.VarBinds.index(57).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.427") { + # if this.trap.VarBinds.index(58).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.428") { + # if this.trap.VarBinds.index(59).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.429") { + # if this.trap.VarBinds.index(60).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.430") { + # if this.trap.VarBinds.index(61).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.431") { + # if this.trap.VarBinds.index(62).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.432") { + # if this.trap.VarBinds.index(63).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.433") { + # if this.trap.VarBinds.index(64).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.434") { + # if this.trap.VarBinds.index(65).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.435") { + # if this.trap.VarBinds.index(66).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.437") { + # if this.trap.VarBinds.index(67).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.438") { + # if this.trap.VarBinds.index(68).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.86") { + # if this.trap.VarBinds.index(69).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.89") { + # if this.trap.VarBinds.index(70).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.90") { + # if this.trap.VarBinds.index(71).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.91") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGtpTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGtpTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGtpTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGtpTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panGtpTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 7 + # # panUseridTrap + # # + # # A Userid event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panUseridSourceInetAddrType (InetAddressType) - Original session source IP address type + # # panUseridSourceInetAddr (InetAddress) - Original session source IP address. + # # panUseridUser (OCTET STRING) - UserName + # # panUseridDataSourceName (OCTET STRING) - DataSourceName + # # panUseridEventID (Counter32) - Event ID + # # panUseridRepeatCount (Counter32) - Number of times the Userid profile matched. + # # panUseridTimeout (Counter32) - Timeout + # # panUseridBeginport (Counter32) - Begin port + # # panUseridEndport (Counter32) - End port + # # panUseridDataSource (INTEGER) - Types of DataSource; Values are unknown, agent, tsAgent, eventLog, probing, serverSessionMonitor, captivePortal, vpnClient, xmlApi, ha, activeDirectory, eDirectory, syslog. + # # panUseridDataSourceType (INTEGER) - Types of DataSource subtype; Values are unknown, directoryServer, exchangeServer, edirectoryServer, wmiProbing, clientCert, sso, kerbos, authenticate, globalprotect, vpnClient. + # # panUseridFactorType (OCTET STRING) - Factor Type + # # panUseridFactorTime (OCTET STRING) - Time the factor was completed. + # # panUseridFactorNo (Counter32) - Factor Number + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.500") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.501") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.502") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.503") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.504") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.505") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.506") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.507") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.508") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.509") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.510") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.511") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.512") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.513") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUseridTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUseridTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUseridTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUseridTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panUseridTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 8 + # # panAuthTrap + # # + # # A Authentication event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panUseridSourceInetAddrType (InetAddressType) - Original session source IP address type + # # panUseridSourceInetAddr (InetAddress) - Original session source IP address. + # # panAuthUser (OCTET STRING) - UserName + # # panAuthNormalizeUser (OCTET STRING) - Normalize UserName + # # panAuthObject (OCTET STRING) - Authentication Object. + # # panAuthPolicy (OCTET STRING) - Authentication Policy + # # panAuthRepeatCount (Counter32) - Number of times the Userid profile matched. + # # panAuthID (Counter64) - Authentication ID + # # panAuthVendor (OCTET STRING) - Authentication Vendor + # # panAuthLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panAuthClientType (INTEGER) - Types of client; Values are admin ui, cli, globalprotect portal, globalprotect gateway, clientless vpn, authentication portal. + # # panAuthDescription (OCTET STRING) - Authentication log event description + # # panAuthServerProfile (OCTET STRING) - Authentication Server Profile + # # panAuthEvent (INTEGER) - Types of event; Values are success, failure, userPasswordFailure, user is locked, userNotAllowed, invalidCertificate, passwordExpired, kerberosSingleSignOnFailed, samlSingleSignOnFailed, mfaFailedAndTimeout. + # # panAuthFactorNo (Counter32) - Factor Number + # # panAuthProto (INTEGER) - Types of authentication Protocols: peapWithEapGtc, peapMschapv2, ttlsPap, pap, chap + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.500") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.501") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAuthTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAuthTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAuthTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAuthTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panAuthTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 9 + # # panSctpTrap + # # + # # A SCTP event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panSource (OCTET STRING) - Original session source IP address. + # # panDestination (OCTET STRING) - Original session destination IP address. + # # panNatSource (OCTET STRING) - If Source NAT performed, the post-NAT Source IP address. + # # panNatDestination (OCTET STRING) - If Destination NAT performed, the post-NAT Destination IP address. + # # panRule (OCTET STRING) - Name of the rule that the session matched. + # # panSrcUser (OCTET STRING) - User name of the user that initiated the session. + # # panDstUser (OCTET STRING) - User name of the user to which the session was destined. + # # panApplication (OCTET STRING) - Application associated with the session. + # # panSourceZone (OCTET STRING) - Zone the session was sourced from. + # # panDestinationZone (OCTET STRING) - Zone the session was destined to. + # # panIngressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panEgressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panSessionID (Counter32) - An internal numerical identifier applied to each session. + # # panRepeatCount (Counter32) - Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; Used for ICMP only. + # # panSourcePort (Counter32) - Source port utilized by the session. + # # panDestinationPort (Counter32) - Destination port utilized by the session. + # # panNatSourcePort (Counter32) - Post-NAT source port. + # # panNatDestinationPort (Counter32) - Post-NAT destination port. + # # panFlags (OCTET STRING) - 32 bit field that provides details on session. + # # panProtocol (OCTET STRING) - IP protocol associated with the session + # # panAction (OCTET STRING) - Action taken for the session; Values are allow or deny + # # panTimeGenerated (OCTET STRING) - Time the log was generated on the data plane + # # panSrcloc (OCTET STRING) - Source country or Internal region for private addresses. Maximum length is 32 bytes. + # # panDstloc (OCTET STRING) - Destination country or Internal region for private addresses. Maximum length is 32 bytes. + # # panXffInetAddrType (InetAddressType) - Original session X-Forwarded-For IP address type + # # panXffInetAddr (InetAddress) - Original session X-Forwarded-For IP address. + # # panSourceInetAddrType (InetAddressType) - Original session source IP address type + # # panSourceInetAddr (InetAddress) - Original session source IP address. + # # panSctpAssocId (Counter64) - SCTP Association ID. + # # panSctpPpid (OCTET STRING) - Payload Protocol ID. + # # panSctpSeverity (INTEGER) - Severity associated with the SCTP event; Values are informational, low, medium, high, critical. + # # panSctpChunkType (OCTET STRING) - SCTP Chunk Type. + # # panSctpEventType (OCTET STRING) - SCTP Event Type. + # # panSctpEventCode (INTEGER) - SCTP Event Code + # # panSctpVerifTag1 (Counter32) - SCTP Verification Tag 1. + # # panSctpVerifTag2 (Counter32) - SCTP Verification Tag 2. + # # panSctpCauseCode (OCTET STRING) - SCTP Cause Code. + # # panSctpDiamAppId (OCTET STRING) - Diameter Application ID. + # # panSctpDiamCmdCode (OCTET STRING) - Diameter Command Code. + # # panSctpDiamAvpCode (Counter32) - Diameter AVP Code. + # # panSctpStreamId (Counter32) - SCTP Stream ID. + # # panSctpOpCode (OCTET STRING) - Map Operaiton Code. + # # panSctpCallingSSN (OCTET STRING) - SCTP Calling Party SSN. + # # panSctpCallingGT (OCTET STRING) - SCTP Calling Global Title. + # # panSctpEndReason (OCTET STRING) - SCTP Session end reason. + # # panSctpChunks (Counter32) - Number of total chunks (transmit and receive) for the SCTP session. + # # panSctpPackets (Counter32) - Number of total packets (transmit and receive) for the SCTP session. + # # panRuleUUID (OCTET STRING) - Rule UUID for NSX. Maximum length is 36 bytes. + # # panContainerId (OCTET STRING) - Container ID + # # panPodNamespace (OCTET STRING) - POD Namespace + # # panPodName (OCTET STRING) - POD Name + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.50") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.51") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.52") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.53") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.54") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.55") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.56") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.57") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.58") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.59") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.60") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.61") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.62") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.63") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.64") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.65") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.66") { + # if this.trap.VarBinds.index(24).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.67") { + # if this.trap.VarBinds.index(25).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.68") { + # if this.trap.VarBinds.index(26).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.69") { + # if this.trap.VarBinds.index(27).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.70") { + # if this.trap.VarBinds.index(28).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.71") { + # if this.trap.VarBinds.index(29).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.72") { + # if this.trap.VarBinds.index(30).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.73") { + # if this.trap.VarBinds.index(31).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.74") { + # if this.trap.VarBinds.index(32).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.87") { + # if this.trap.VarBinds.index(33).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.88") { + # if this.trap.VarBinds.index(34).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.75") { + # if this.trap.VarBinds.index(35).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.76") { + # if this.trap.VarBinds.index(36).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.700") { + # if this.trap.VarBinds.index(37).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.701") { + # if this.trap.VarBinds.index(38).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.702") { + # if this.trap.VarBinds.index(39).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.703") { + # if this.trap.VarBinds.index(40).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.704") { + # if this.trap.VarBinds.index(41).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.705") { + # if this.trap.VarBinds.index(42).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.706") { + # if this.trap.VarBinds.index(43).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.707") { + # if this.trap.VarBinds.index(44).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.708") { + # if this.trap.VarBinds.index(45).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.709") { + # if this.trap.VarBinds.index(46).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.710") { + # if this.trap.VarBinds.index(47).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.711") { + # if this.trap.VarBinds.index(48).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.712") { + # if this.trap.VarBinds.index(49).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.713") { + # if this.trap.VarBinds.index(50).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.714") { + # if this.trap.VarBinds.index(51).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.715") { + # if this.trap.VarBinds.index(52).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.716") { + # if this.trap.VarBinds.index(53).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.717") { + # if this.trap.VarBinds.index(54).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.718") { + # if this.trap.VarBinds.index(55).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.86") { + # if this.trap.VarBinds.index(56).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.89") { + # if this.trap.VarBinds.index(57).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.90") { + # if this.trap.VarBinds.index(58).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.91") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSctpTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSctpTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSctpTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSctpTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panSctpTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 10 + # # panCorrTrap + # # + # # A Correlation event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panCorrSeverity (INTEGER) - Correlation log event severity + # # panCorrDG1 (OCTET STRING) - Correlation log DG Heirarchy 1 + # # panCorrDG2 (OCTET STRING) - Correlation log DG Heirarchy 2 + # # panCorrDG3 (OCTET STRING) - Correlation log DG Heirarchy 3 + # # panCorrDG4 (OCTET STRING) - Correlation log DG Heirarchy 4 + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panCorrObjName (OCTET STRING) - Correlation log Object Name + # # panCorrObjID (INTEGER) - Correlation log Object ID + # # panCorrEvidence (OCTET STRING) - Correlation log Evidence + # # panHostId (OCTET STRING) - Host ID + # # panSerialNo (OCTET STRING) - Serial Number + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.356") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.350") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.351") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.352") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.353") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.354") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.355") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.356") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.357") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.93") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCorrTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCorrTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCorrTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCorrTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panCorrTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 11 + # # panIpTagTrap + # # + # # A IP-Tag event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panIpTagIp (IpAddress) - Tag Ip Address. + # # panIpTagName (OCTET STRING) - Tag Name. + # # panIpTagEvent (OCTET STRING) - Tag Event + # # panIpTagRepeatCount (Counter32) - Repeat of the event. + # # panIpTagTimeout (Counter32) - Tag Timeout + # # panIpTagDataSourceName (OCTET STRING) - Tag Data Source Name + # # panIpTagDataSourceType (OCTET STRING) - Tag Data Source Type + # # panIpTagDataSourceSubType (OCTET STRING) - Tag Data Source SubType + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.750") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.751") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.752") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.753") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.754") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.755") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.756") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.757") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIpTagTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIpTagTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIpTagTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIpTagTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panIpTagTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 12 + # # panDecryptionTrap + # # + # # A decryption event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panSource (OCTET STRING) - Original session source IP address. + # # panDestination (OCTET STRING) - Original session destination IP address. + # # panNatSource (OCTET STRING) - If Source NAT performed, the post-NAT Source IP address. + # # panNatDestination (OCTET STRING) - If Destination NAT performed, the post-NAT Destination IP address. + # # panRule (OCTET STRING) - Name of the rule that the session matched. + # # panSrcUser (OCTET STRING) - User name of the user that initiated the session. + # # panDstUser (OCTET STRING) - User name of the user to which the session was destined. + # # panApplication (OCTET STRING) - Application associated with the session. + # # panSourceZone (OCTET STRING) - Zone the session was sourced from. + # # panDestinationZone (OCTET STRING) - Zone the session was destined to. + # # panIngressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panEgressInterface (OCTET STRING) - Interface that the session was sourced form. + # # panLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panSessionID (Counter32) - An internal numerical identifier applied to each session. + # # panRepeatCount (Counter32) - Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; Used for ICMP only. + # # panSourcePort (Counter32) - Source port utilized by the session. + # # panDestinationPort (Counter32) - Destination port utilized by the session. + # # panNatSourcePort (Counter32) - Post-NAT source port. + # # panNatDestinationPort (Counter32) - Post-NAT destination port. + # # panFlags (OCTET STRING) - 32 bit field that provides details on session. + # # panProtocol (OCTET STRING) - IP protocol associated with the session + # # panAction (OCTET STRING) - Action taken for the session; Values are allow or deny + # # panTimeGenerated (OCTET STRING) - Time the log was generated on the data plane + # # panSrcloc (OCTET STRING) - Source country or Internal region for private addresses. Maximum length is 32 bytes. + # # panDstloc (OCTET STRING) - Destination country or Internal region for private addresses. Maximum length is 32 bytes. + # # panRuleUUID (OCTET STRING) - Rule UUID for NSX. Maximum length is 36 bytes. + # # panDecryptTLSVersion (INTEGER) - TLS Version. + # # panDecryptTLSKeyXchg (INTEGER) - Key Exchange Algorithm. + # # panDecryptTLSEnc (INTEGER) - Encryption Algorithm. + # # panDecryptTLSAuth (INTEGER) - Hash Algorithm. + # # panDecryptECUrve (INTEGER) - Elaptic Curve. + # # panDecryptErrIndex (INTEGER) - Error Index. + # # panDecryptProxyType (INTEGER) - Proxy Type. + # # panDecryptCN (OCTET STRING) - Common Name. + # # panDecryptCertFlags (INTEGER) - Cert Flags. + # # panDecryptNotBefore (Counter32) - Not Before. + # # panDecryptSNI (OCTET STRING) - Server Name Indication. + # # panDecryptNotAfter (Counter32) - Not After. + # # panDecryptPolicyName (OCTET STRING) - Policy Name. + # # panDecryptRootCN (OCTET STRING) - Root Common Name. + # # panDecryptIssuerCN (OCTET STRING) - Issuer Common Name. + # # panDecryptCertSerial (OCTET STRING) - Serial No. + # # panDecryptDigest (OCTET STRING) - FingerPrint. + # # panContainerId (OCTET STRING) - Container ID + # # panPodNamespace (OCTET STRING) - POD Namespace + # # panPodName (OCTET STRING) - POD Name + # # panSrcDAG (OCTET STRING) - Source DAG. + # # panDstDAG (OCTET STRING) - Destination DAG. + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.50") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.51") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.52") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.53") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.54") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.55") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.56") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.57") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.58") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.59") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.60") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.61") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.62") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.63") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.64") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.65") { + # if this.trap.VarBinds.index(24).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.66") { + # if this.trap.VarBinds.index(25).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.67") { + # if this.trap.VarBinds.index(26).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.68") { + # if this.trap.VarBinds.index(27).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.69") { + # if this.trap.VarBinds.index(28).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.70") { + # if this.trap.VarBinds.index(29).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.71") { + # if this.trap.VarBinds.index(30).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.72") { + # if this.trap.VarBinds.index(31).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.73") { + # if this.trap.VarBinds.index(32).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.74") { + # if this.trap.VarBinds.index(33).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.86") { + # if this.trap.VarBinds.index(34).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.800") { + # if this.trap.VarBinds.index(35).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.801") { + # if this.trap.VarBinds.index(36).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.802") { + # if this.trap.VarBinds.index(37).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.803") { + # if this.trap.VarBinds.index(38).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.804") { + # if this.trap.VarBinds.index(39).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.805") { + # if this.trap.VarBinds.index(40).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.806") { + # if this.trap.VarBinds.index(41).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.808") { + # if this.trap.VarBinds.index(42).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.807") { + # if this.trap.VarBinds.index(43).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.813") { + # if this.trap.VarBinds.index(44).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.811") { + # if this.trap.VarBinds.index(45).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.812") { + # if this.trap.VarBinds.index(46).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.814") { + # if this.trap.VarBinds.index(47).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.810") { + # if this.trap.VarBinds.index(48).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.809") { + # if this.trap.VarBinds.index(49).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.815") { + # if this.trap.VarBinds.index(50).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.816") { + # if this.trap.VarBinds.index(51).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.89") { + # if this.trap.VarBinds.index(52).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.90") { + # if this.trap.VarBinds.index(53).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.91") { + # if this.trap.VarBinds.index(54).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.818") { + # if this.trap.VarBinds.index(55).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.819") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDecryptionTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDecryptionTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDecryptionTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDecryptionTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panDecryptionTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + + # - check: this.trap.SpecificTrap == 13 + # # panGlobalprotectTrap + # # + # # A Globalprotect event trap. + # # + # # panReceiveTime (OCTET STRING) - Time the log was received at the management plane. + # # panSerial (OCTET STRING) - Serial number of the device that generated the log. + # # panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. + # # panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. + # # panVsys (OCTET STRING) - Virtual System associated with the session. + # # panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space + # # panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. + # # panHostname (OCTET STRING) - Host name of the device that generated the trap. + # # panSystemEventId (OCTET STRING) - System log event ID + # # panGlobalProtectStatus (INTEGER) - Status. + # # panGlobalProtectStage (OCTET STRING) - Stage. + # # panGlobalProtectAuthMethod (OCTET STRING) - Authentication Method. + # # panGlobalProtectTunnelType (OCTET STRING) - Tunnel Type. + # # panGlobalProtectPortal (OCTET STRING) - Portal. + # # panSrcUser (OCTET STRING) - User name of the user that initiated the session. + # # panGlobalProtectSrcRegion (OCTET STRING) - Source Region. + # # panHipMachineName (OCTET STRING) - Name of the Users machine. + # # panGlobalProtectPublicIP (IpAddress) - Public IP. + # # panGlobalProtectPublicIPv6 (IpAddress) - Public IPv6. + # # panGlobalProtectPrivateIP (IpAddress) - Private IP. + # # panGlobalProtectPrivateIPv6 (IpAddress) - Private IPv6. + # # panGlobalProtectHostId (OCTET STRING) - Host ID + # # panGlobalProtectSerialNo (OCTET STRING) + # # panGlobalProtectClientVersion (INTEGER) - Client Version. + # # panGlobalProtectClientOSVersion (OCTET STRING) - Client OS Version. + # # panLogForwardingProfile (OCTET STRING) - Log Forwarding Profile that was applied to the session + # # panRepeatCount (Counter32) - Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; Used for ICMP only. + # # panGlobalProtectLoginDuration (INTEGER) - Login Duration. + # # panGlobalProtectConnectMethod (OCTET STRING) - Connect Method. + # # panGlobalProtectReason (OCTET STRING) - Reason. + # # panGlobalProtectLocation (OCTET STRING) - Location. + # # panGlobalProtectErrorCode (INTEGER) - Error Code. + # # panGlobalProtectError (OCTET STRING) - Error. + # # panSystemDescription (OCTET STRING) - System log event description + # # panGlobalProtectSelectionType (OCTET STRING) - Selection Type. + # # panGlobalProtectResponseTime (INTEGER) - Response Time + # # panGlobalProtectPriority (INTEGER) - Priority + # # panGlobalProtectAttemptedGateways (OCTET STRING) - Attempted Gateways + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta varbinds_ok = false + # if this.trap.VarBinds.length() > { + # if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + # if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + # if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + # if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + # if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + # if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + # if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + # if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + # if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + # if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.900") { + # if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.901") { + # if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.902") { + # if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.903") { + # if this.trap.VarBinds.index(13).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.904") { + # if this.trap.VarBinds.index(14).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.55") { + # if this.trap.VarBinds.index(15).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.905") { + # if this.trap.VarBinds.index(16).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.251") { + # if this.trap.VarBinds.index(17).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.906") { + # if this.trap.VarBinds.index(18).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.907") { + # if this.trap.VarBinds.index(19).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.908") { + # if this.trap.VarBinds.index(20).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.909") { + # if this.trap.VarBinds.index(21).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.922") { + # if this.trap.VarBinds.index(22).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.923") { + # if this.trap.VarBinds.index(23).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.910") { + # if this.trap.VarBinds.index(24).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.911") { + # if this.trap.VarBinds.index(25).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.62") { + # if this.trap.VarBinds.index(26).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.64") { + # if this.trap.VarBinds.index(27).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.912") { + # if this.trap.VarBinds.index(28).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.913") { + # if this.trap.VarBinds.index(29).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.914") { + # if this.trap.VarBinds.index(30).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.915") { + # if this.trap.VarBinds.index(31).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.916") { + # if this.trap.VarBinds.index(32).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.917") { + # if this.trap.VarBinds.index(33).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + # if this.trap.VarBinds.index(34).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.918") { + # if this.trap.VarBinds.index(35).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.919") { + # if this.trap.VarBinds.index(36).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.920") { + # if this.trap.VarBinds.index(37).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.921") { + # meta varbinds_ok = true + # }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + + # - switch: + # - check: metadata("varbinds_ok") + # processors: + # - mapping: |- + # #!blobl + # root = this + + # meta = this.trap.VarBinds.index().Value + + # root.out.paloalto. = this.trap.VarBinds.index().Value + + # root.out.object.name = "PAN-TRAPS::OBJECT" + # root.out.object.index = this.trap.VarBinds.index().OID.snmp_oid_get_index("") + # root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + # root.out.object.label = ": " + root.out.paloalto. + ", : " + root.out.paloalto. + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectTrap" + # root.out.event.category.name = "" + # root.out.event.message = "" + # root.out.event.severity.code = 0 + # root.out.event.severity.level = "SEVERITY" + + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.message = if root.out.exists("object.label") { + # root.out.event.message + " [ " + root.out.object.label + " ]" + # } + + # - processors: + # - mapping: |- + # #!blobl + # root = this + + # root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectTrap" + # root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectTrap-unknown" + # root.out.event.category.name = "" + # root.out.event.message = " - UNEXPECTED VARBINDS for panGlobalprotectTrap trap!" + # root.out.event.severity.code = 4 + # root.out.event.severity.level = "Warning" + +# The following varbinds are sent with all specific traps 100 and above +# +# panReceiveTime (OCTET STRING) - Time the log was received at the management plane. +# panSerial (OCTET STRING) - Serial number of the device that generated the log. +# panEventType (OCTET STRING) - Specifies type of log; Values are traffic, threat, config, system and hip-match. +# panEventSubType (OCTET STRING) - Subtype of traffic log; Values are start, end, drop, and deny. +# panVsys (OCTET STRING) - Virtual System associated with the session. +# panSeqno (Counter64) - A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space +# panActionflags (OCTET STRING) - A bit field indicating if the log was forwarded to Panorama. +# panHostname (OCTET STRING) - Host name of the device that generated the trap. +# panSystemEventId (OCTET STRING) - System log event ID +# panSystemObject (OCTET STRING) - System log event object +# panSystemModule (OCTET STRING) - System log event module +# panSystemSeverity (INTEGER) - System log event severity +# panSystemDescription (OCTET STRING) - System log event description + + - check: this.trap.SpecificTrap == 100 + # panCryptoCertExpiryTrap + # + # Certificate expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoCertExpiryTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoCertExpiryTrap" + root.out.event.category.name = "panCryptoCertExpiryTrap" + root.out.event.message = "panCryptoCertExpiryTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoCertExpiryTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoCertExpiryTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoCertExpiryTrap - UNEXPECTED VARBINDS for panCryptoCertExpiryTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 101 + # panCryptoMkeyExpiryTrap + # + # Master key expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryTrap" + root.out.event.category.name = "panCryptoMkeyExpiryTrap" + root.out.event.message = "panCryptoMkeyExpiryTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoMkeyExpiryTrap - UNEXPECTED VARBINDS for panCryptoMkeyExpiryTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 102 + # panCryptoMkeyExpiryReminderTrap + # + # Master key expiry reminder + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryReminderTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryReminderTrap" + root.out.event.category.name = "panCryptoMkeyExpiryReminderTrap" + root.out.event.message = "panCryptoMkeyExpiryReminderTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryReminderTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyExpiryReminderTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoMkeyExpiryReminderTrap - UNEXPECTED VARBINDS for panCryptoMkeyExpiryReminderTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 103 + # panCryptoHSMStateChangeTrap + # + # HSM state goes up/down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoHSMStateChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoHSMStateChangeTrap" + root.out.event.category.name = "panCryptoHSMStateChangeTrap" + root.out.event.message = "panCryptoHSMStateChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoHSMStateChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoHSMStateChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoHSMStateChangeTrap - UNEXPECTED VARBINDS for panCryptoHSMStateChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 104 + # panCryptoPrivateKeyExportTrap + # + # Private key exported + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoPrivateKeyExportTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoPrivateKeyExportTrap" + root.out.event.category.name = "panCryptoPrivateKeyExportTrap" + root.out.event.message = "panCryptoPrivateKeyExportTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoPrivateKeyExportTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoPrivateKeyExportTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoPrivateKeyExportTrap - UNEXPECTED VARBINDS for panCryptoPrivateKeyExportTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 105 + # panCryptoDeployMkeyChangeTrap + # + # Deployed master key change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoDeployMkeyChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoDeployMkeyChangeTrap" + root.out.event.category.name = "panCryptoDeployMkeyChangeTrap" + root.out.event.message = "panCryptoDeployMkeyChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoDeployMkeyChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoDeployMkeyChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoDeployMkeyChangeTrap - UNEXPECTED VARBINDS for panCryptoDeployMkeyChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 106 + # panCryptoMkeyChangeTrap + # + # Master key changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyChangeTrap" + root.out.event.category.name = "panCryptoMkeyChangeTrap" + root.out.event.message = "panCryptoMkeyChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCryptoMkeyChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCryptoMkeyChangeTrap - UNEXPECTED VARBINDS for panCryptoMkeyChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 200 + # panDHCPLeaseStartTrap + # + # DHCP lease started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseStartTrap" + root.out.event.category.name = "panDHCPLeaseStartTrap" + root.out.event.message = "panDHCPLeaseStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPLeaseStartTrap - UNEXPECTED VARBINDS for panDHCPLeaseStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 201 + # panDHCPLeaseEndTrap + # + # DHCP lease ended + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseEndTrap" + root.out.event.category.name = "panDHCPLeaseEndTrap" + root.out.event.message = "panDHCPLeaseEndTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPLeaseEndTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPLeaseEndTrap - UNEXPECTED VARBINDS for panDHCPLeaseEndTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 202 + # panDHCPServerOnTrap + # + # DHCP server on + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerOnTrap" + root.out.event.category.name = "panDHCPServerOnTrap" + root.out.event.message = "panDHCPServerOnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerOnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPServerOnTrap - UNEXPECTED VARBINDS for panDHCPServerOnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 203 + # panDHCPServerAutoProbeOnTrap + # + # DHCP server auto-probe finished turn on DHCP server since no offer received + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOnTrap" + root.out.event.category.name = "panDHCPServerAutoProbeOnTrap" + root.out.event.message = "panDHCPServerAutoProbeOnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPServerAutoProbeOnTrap - UNEXPECTED VARBINDS for panDHCPServerAutoProbeOnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 204 + # panDHCPServerAutoProbeOffTrap + # + # DHCP server auto-probe finished turn off DHCP server since received offer + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOffTrap" + root.out.event.category.name = "panDHCPServerAutoProbeOffTrap" + root.out.event.message = "panDHCPServerAutoProbeOffTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerAutoProbeOffTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPServerAutoProbeOffTrap - UNEXPECTED VARBINDS for panDHCPServerAutoProbeOffTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 205 + # panDHCPServerNoFreeIpTrap + # + # DHCP server runs out of ip pool + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerNoFreeIpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerNoFreeIpTrap" + root.out.event.category.name = "panDHCPServerNoFreeIpTrap" + root.out.event.message = "panDHCPServerNoFreeIpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerNoFreeIpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPServerNoFreeIpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPServerNoFreeIpTrap - UNEXPECTED VARBINDS for panDHCPServerNoFreeIpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 206 + # panDHCPIpAlreadyInUseTrap + # + # ip address is already in use + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIpAlreadyInUseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIpAlreadyInUseTrap" + root.out.event.category.name = "panDHCPIpAlreadyInUseTrap" + root.out.event.message = "panDHCPIpAlreadyInUseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIpAlreadyInUseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIpAlreadyInUseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIpAlreadyInUseTrap - UNEXPECTED VARBINDS for panDHCPIpAlreadyInUseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 207 + # panDHCPRelayOnTrap + # + # DHCP relay on + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOnTrap" + root.out.event.category.name = "panDHCPRelayOnTrap" + root.out.event.message = "panDHCPRelayOnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPRelayOnTrap - UNEXPECTED VARBINDS for panDHCPRelayOnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 208 + # panDHCPRelayOffTrap + # + # DHCP relay off + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOffTrap" + root.out.event.category.name = "panDHCPRelayOffTrap" + root.out.event.message = "panDHCPRelayOffTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelayOffTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPRelayOffTrap - UNEXPECTED VARBINDS for panDHCPRelayOffTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 209 + # panDHCPRelay6OnTrap + # + # DHCPv6 relay on + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OnTrap" + root.out.event.category.name = "panDHCPRelay6OnTrap" + root.out.event.message = "panDHCPRelay6OnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPRelay6OnTrap - UNEXPECTED VARBINDS for panDHCPRelay6OnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 210 + # panDHCPRelay6OffTrap + # + # DHCPv6 relay off + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OffTrap" + root.out.event.category.name = "panDHCPRelay6OffTrap" + root.out.event.message = "panDHCPRelay6OffTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPRelay6OffTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPRelay6OffTrap - UNEXPECTED VARBINDS for panDHCPRelay6OffTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 211 + # panDHCPIfUpdateFailTrap + # + # DHCP client interface update fail + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateFailTrap" + root.out.event.category.name = "panDHCPIfUpdateFailTrap" + root.out.event.message = "panDHCPIfUpdateFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfUpdateFailTrap - UNEXPECTED VARBINDS for panDHCPIfUpdateFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 212 + # panDHCPIfUpdateOkTrap + # + # DHCP client interface update successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateOkTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateOkTrap" + root.out.event.category.name = "panDHCPIfUpdateOkTrap" + root.out.event.message = "panDHCPIfUpdateOkTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateOkTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfUpdateOkTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfUpdateOkTrap - UNEXPECTED VARBINDS for panDHCPIfUpdateOkTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 213 + # panDHCPIfClearTrap + # + # DHCP client interface info cleared + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfClearTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfClearTrap" + root.out.event.category.name = "panDHCPIfClearTrap" + root.out.event.message = "panDHCPIfClearTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfClearTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfClearTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfClearTrap - UNEXPECTED VARBINDS for panDHCPIfClearTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 214 + # panDHCPIfRenewTriggerTrap + # + # DHCP client interface renew triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRenewTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRenewTriggerTrap" + root.out.event.category.name = "panDHCPIfRenewTriggerTrap" + root.out.event.message = "panDHCPIfRenewTriggerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRenewTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRenewTriggerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfRenewTriggerTrap - UNEXPECTED VARBINDS for panDHCPIfRenewTriggerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 215 + # panDHCPIfReleaseTriggerTrap + # + # DHCP client interface release triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfReleaseTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfReleaseTriggerTrap" + root.out.event.category.name = "panDHCPIfReleaseTriggerTrap" + root.out.event.message = "panDHCPIfReleaseTriggerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfReleaseTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfReleaseTriggerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfReleaseTriggerTrap - UNEXPECTED VARBINDS for panDHCPIfReleaseTriggerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 216 + # panDHCPIfRcvNakTrap + # + # DHCP client interface received nak + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRcvNakTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRcvNakTrap" + root.out.event.category.name = "panDHCPIfRcvNakTrap" + root.out.event.message = "panDHCPIfRcvNakTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRcvNakTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfRcvNakTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfRcvNakTrap - UNEXPECTED VARBINDS for panDHCPIfRcvNakTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 217 + # panDHCPIfInheritTrap + # + # DHCP server interface inherited settings + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfInheritTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfInheritTrap" + root.out.event.category.name = "panDHCPIfInheritTrap" + root.out.event.message = "panDHCPIfInheritTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfInheritTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfInheritTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfInheritTrap - UNEXPECTED VARBINDS for panDHCPIfInheritTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 218 + # panDHCPIfDuplicateIpIntfTrap + # + # DHCP client interface received IP address already assigned to another interface + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpIntfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpIntfTrap" + root.out.event.category.name = "panDHCPIfDuplicateIpIntfTrap" + root.out.event.message = "panDHCPIfDuplicateIpIntfTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpIntfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpIntfTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfDuplicateIpIntfTrap - UNEXPECTED VARBINDS for panDHCPIfDuplicateIpIntfTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 219 + # panDHCPIfDuplicateIpRemoteTrap + # + # DHCP client interface received IP address already used by another host on the network + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpRemoteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpRemoteTrap" + root.out.event.category.name = "panDHCPIfDuplicateIpRemoteTrap" + root.out.event.message = "panDHCPIfDuplicateIpRemoteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpRemoteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPIfDuplicateIpRemoteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPIfDuplicateIpRemoteTrap - UNEXPECTED VARBINDS for panDHCPIfDuplicateIpRemoteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 220 + # panDHCPV6IfUpdateFailTrap + # + # DHCPV6 update fail + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateFailTrap" + root.out.event.category.name = "panDHCPV6IfUpdateFailTrap" + root.out.event.message = "panDHCPV6IfUpdateFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfUpdateFailTrap - UNEXPECTED VARBINDS for panDHCPV6IfUpdateFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 221 + # panDHCPV6IfUpdateOkTrap + # + # DHCPV6 update successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateOkTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateOkTrap" + root.out.event.category.name = "panDHCPV6IfUpdateOkTrap" + root.out.event.message = "panDHCPV6IfUpdateOkTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateOkTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfUpdateOkTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfUpdateOkTrap - UNEXPECTED VARBINDS for panDHCPV6IfUpdateOkTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 222 + # panDHCPV6IfClearTrap + # + # DHCPV6 info cleared + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfClearTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfClearTrap" + root.out.event.category.name = "panDHCPV6IfClearTrap" + root.out.event.message = "panDHCPV6IfClearTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfClearTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfClearTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfClearTrap - UNEXPECTED VARBINDS for panDHCPV6IfClearTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 223 + # panDHCPV6IfRenewTriggerTrap + # + # DHCPV6 renew triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfRenewTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfRenewTriggerTrap" + root.out.event.category.name = "panDHCPV6IfRenewTriggerTrap" + root.out.event.message = "panDHCPV6IfRenewTriggerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfRenewTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfRenewTriggerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfRenewTriggerTrap - UNEXPECTED VARBINDS for panDHCPV6IfRenewTriggerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 224 + # panDHCPV6IfReleaseTriggerTrap + # + # DHCPV6 release triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfReleaseTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfReleaseTriggerTrap" + root.out.event.category.name = "panDHCPV6IfReleaseTriggerTrap" + root.out.event.message = "panDHCPV6IfReleaseTriggerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfReleaseTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfReleaseTriggerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfReleaseTriggerTrap - UNEXPECTED VARBINDS for panDHCPV6IfReleaseTriggerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 225 + # panDHCPV6IfConfirmFailedTrap + # + # DHCPV6 confirm failed,continuing with the existing addresses + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfConfirmFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfConfirmFailedTrap" + root.out.event.category.name = "panDHCPV6IfConfirmFailedTrap" + root.out.event.message = "panDHCPV6IfConfirmFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfConfirmFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfConfirmFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfConfirmFailedTrap - UNEXPECTED VARBINDS for panDHCPV6IfConfirmFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 226 + # panDHCPV6IfDuplicateIpIntfTrap + # + # DHCPV6 received IP address already assigned to another interface + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpIntfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpIntfTrap" + root.out.event.category.name = "panDHCPV6IfDuplicateIpIntfTrap" + root.out.event.message = "panDHCPV6IfDuplicateIpIntfTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpIntfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpIntfTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfDuplicateIpIntfTrap - UNEXPECTED VARBINDS for panDHCPV6IfDuplicateIpIntfTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 227 + # panDHCPV6IfDuplicateIpRemoteTrap + # + # DHCPV6 received IP address already used by another host on the network + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpRemoteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpRemoteTrap" + root.out.event.category.name = "panDHCPV6IfDuplicateIpRemoteTrap" + root.out.event.message = "panDHCPV6IfDuplicateIpRemoteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpRemoteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateIpRemoteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfDuplicateIpRemoteTrap - UNEXPECTED VARBINDS for panDHCPV6IfDuplicateIpRemoteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 228 + # panDHCPV6IfIanaNotReceivedTrap + # + # DHCPV6 unable to obtain Non-temporary address from the Server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIanaNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIanaNotReceivedTrap" + root.out.event.category.name = "panDHCPV6IfIanaNotReceivedTrap" + root.out.event.message = "panDHCPV6IfIanaNotReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIanaNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIanaNotReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfIanaNotReceivedTrap - UNEXPECTED VARBINDS for panDHCPV6IfIanaNotReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 229 + # panDHCPV6IfIataNotReceivedTrap + # + # DHCPV6 unable to obtain Temporary address from the Server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIataNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIataNotReceivedTrap" + root.out.event.category.name = "panDHCPV6IfIataNotReceivedTrap" + root.out.event.message = "panDHCPV6IfIataNotReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIataNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIataNotReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfIataNotReceivedTrap - UNEXPECTED VARBINDS for panDHCPV6IfIataNotReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 230 + # panDHCPV6IfIapdNotReceivedTrap + # + # DHCPV6 unable to obtain Prefix Delegation address from the Server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIapdNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIapdNotReceivedTrap" + root.out.event.category.name = "panDHCPV6IfIapdNotReceivedTrap" + root.out.event.message = "panDHCPV6IfIapdNotReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIapdNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfIapdNotReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfIapdNotReceivedTrap - UNEXPECTED VARBINDS for panDHCPV6IfIapdNotReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 231 + # panDHCPV6IfDhcpv6LeaseStartTrap + # + # DHCPV6 lease of addresses started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseStartTrap" + root.out.event.category.name = "panDHCPV6IfDhcpv6LeaseStartTrap" + root.out.event.message = "panDHCPV6IfDhcpv6LeaseStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfDhcpv6LeaseStartTrap - UNEXPECTED VARBINDS for panDHCPV6IfDhcpv6LeaseStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 232 + # panDHCPV6IfDhcpv6PreferredLifetimeOverTrap + # + # DHCPV6 Preferred lifetime of addresses expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.category.name = "panDHCPV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.message = "panDHCPV6IfDhcpv6PreferredLifetimeOverTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6PreferredLifetimeOverTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfDhcpv6PreferredLifetimeOverTrap - UNEXPECTED VARBINDS for panDHCPV6IfDhcpv6PreferredLifetimeOverTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 233 + # panDHCPV6IfDhcpv6LeaseEndTrap + # + # DHCPV6 Lease of addresses + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseEndTrap" + root.out.event.category.name = "panDHCPV6IfDhcpv6LeaseEndTrap" + root.out.event.message = "panDHCPV6IfDhcpv6LeaseEndTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDhcpv6LeaseEndTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfDhcpv6LeaseEndTrap - UNEXPECTED VARBINDS for panDHCPV6IfDhcpv6LeaseEndTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 234 + # panDHCPV6IfDuplicateAddressReceivedTrap + # + # DHCPV6 IPv6 address ip_address on interface if_name failed due to duplicate IP check + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateAddressReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateAddressReceivedTrap" + root.out.event.category.name = "panDHCPV6IfDuplicateAddressReceivedTrap" + root.out.event.message = "panDHCPV6IfDuplicateAddressReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateAddressReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfDuplicateAddressReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfDuplicateAddressReceivedTrap - UNEXPECTED VARBINDS for panDHCPV6IfDuplicateAddressReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 235 + # panDHCPV6IfPdIdentifierValueTrap + # + # DHCPV6 Prefix cannot be assigned to the Inherited Interface if_name,since the value of the Pool identifier is larger the prefix range received. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdIdentifierValueTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdIdentifierValueTrap" + root.out.event.category.name = "panDHCPV6IfPdIdentifierValueTrap" + root.out.event.message = "panDHCPV6IfPdIdentifierValueTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdIdentifierValueTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdIdentifierValueTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfPdIdentifierValueTrap - UNEXPECTED VARBINDS for panDHCPV6IfPdIdentifierValueTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 236 + # panDHCPV6IfPdExhaustTrap + # + # DHCPV6 Prefix cannot be assigned to the Inherited Interface,since the prefix pool exhausted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdExhaustTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdExhaustTrap" + root.out.event.category.name = "panDHCPV6IfPdExhaustTrap" + root.out.event.message = "panDHCPV6IfPdExhaustTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdExhaustTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDHCPV6IfPdExhaustTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDHCPV6IfPdExhaustTrap - UNEXPECTED VARBINDS for panDHCPV6IfPdExhaustTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 300 + # panDNSProxyCacheClearedTrap + # + # DNS Proxy cache cleared + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyCacheClearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyCacheClearedTrap" + root.out.event.category.name = "panDNSProxyCacheClearedTrap" + root.out.event.message = "panDNSProxyCacheClearedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyCacheClearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyCacheClearedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSProxyCacheClearedTrap - UNEXPECTED VARBINDS for panDNSProxyCacheClearedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 301 + # panDNSProxyResolveFailTrap + # + # Failed to resolve domain name + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyResolveFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyResolveFailTrap" + root.out.event.category.name = "panDNSProxyResolveFailTrap" + root.out.event.message = "panDNSProxyResolveFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyResolveFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyResolveFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSProxyResolveFailTrap - UNEXPECTED VARBINDS for panDNSProxyResolveFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 302 + # panDNSProxyObjectEnableTrap + # + # Enabled/Disabled DNS proxy object + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyObjectEnableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyObjectEnableTrap" + root.out.event.category.name = "panDNSProxyObjectEnableTrap" + root.out.event.message = "panDNSProxyObjectEnableTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyObjectEnableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyObjectEnableTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSProxyObjectEnableTrap - UNEXPECTED VARBINDS for panDNSProxyObjectEnableTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 303 + # panDNSProxyIfAddTrap + # + # Assigned interface to DNS proxy object + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfAddTrap" + root.out.event.category.name = "panDNSProxyIfAddTrap" + root.out.event.message = "panDNSProxyIfAddTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfAddTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSProxyIfAddTrap - UNEXPECTED VARBINDS for panDNSProxyIfAddTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 304 + # panDNSProxyIfDelTrap + # + # Removed interface from DNS proxy object + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfDelTrap" + root.out.event.category.name = "panDNSProxyIfDelTrap" + root.out.event.message = "panDNSProxyIfDelTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfDelTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSProxyIfDelTrap - UNEXPECTED VARBINDS for panDNSProxyIfDelTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 305 + # panDNSProxyIfInheritTrap + # + # DNS Proxy object inherited settings + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfInheritTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfInheritTrap" + root.out.event.category.name = "panDNSProxyIfInheritTrap" + root.out.event.message = "panDNSProxyIfInheritTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfInheritTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSProxyIfInheritTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSProxyIfInheritTrap - UNEXPECTED VARBINDS for panDNSProxyIfInheritTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 500 + # panDOSDosRuleChangedTrap + # + # DOS rule changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDOSDosRuleChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDOSDosRuleChangedTrap" + root.out.event.category.name = "panDOSDosRuleChangedTrap" + root.out.event.message = "panDOSDosRuleChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDOSDosRuleChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDOSDosRuleChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDOSDosRuleChangedTrap - UNEXPECTED VARBINDS for panDOSDosRuleChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 600 + # panGeneralGeneralTrap + # + # General system event + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralGeneralTrap" + root.out.event.category.name = "panGeneralGeneralTrap" + root.out.event.message = "panGeneralGeneralTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralGeneralTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralGeneralTrap - UNEXPECTED VARBINDS for panGeneralGeneralTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 601 + # panGeneralSystemStartTrap + # + # System start + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemStartTrap" + root.out.event.category.name = "panGeneralSystemStartTrap" + root.out.event.message = "panGeneralSystemStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralSystemStartTrap - UNEXPECTED VARBINDS for panGeneralSystemStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 602 + # panGeneralSystemShutdownTrap + # + # System shutdown + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemShutdownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemShutdownTrap" + root.out.event.category.name = "panGeneralSystemShutdownTrap" + root.out.event.message = "panGeneralSystemShutdownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemShutdownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralSystemShutdownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralSystemShutdownTrap - UNEXPECTED VARBINDS for panGeneralSystemShutdownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 603 + # panGeneralAuthFailTrap + # + # Authentication attempt faliure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthFailTrap" + root.out.event.category.name = "panGeneralAuthFailTrap" + root.out.event.message = "panGeneralAuthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralAuthFailTrap - UNEXPECTED VARBINDS for panGeneralAuthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 604 + # panGeneralAuthSuccessTrap + # + # Authentication attempt success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthSuccessTrap" + root.out.event.category.name = "panGeneralAuthSuccessTrap" + root.out.event.message = "panGeneralAuthSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralAuthSuccessTrap - UNEXPECTED VARBINDS for panGeneralAuthSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 605 + # panGeneralTacLoginTrap + # + # TAC debug access attempt + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralTacLoginTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralTacLoginTrap" + root.out.event.category.name = "panGeneralTacLoginTrap" + root.out.event.message = "panGeneralTacLoginTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralTacLoginTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralTacLoginTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralTacLoginTrap - UNEXPECTED VARBINDS for panGeneralTacLoginTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 606 + # panGeneralAuthServerDownTrap + # + # Can not contact auth server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthServerDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthServerDownTrap" + root.out.event.category.name = "panGeneralAuthServerDownTrap" + root.out.event.message = "panGeneralAuthServerDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthServerDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAuthServerDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralAuthServerDownTrap - UNEXPECTED VARBINDS for panGeneralAuthServerDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 607 + # panGeneralAdminDiscardTrap + # + # Discarded by administrator + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAdminDiscardTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAdminDiscardTrap" + root.out.event.category.name = "panGeneralAdminDiscardTrap" + root.out.event.message = "panGeneralAdminDiscardTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAdminDiscardTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralAdminDiscardTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralAdminDiscardTrap - UNEXPECTED VARBINDS for panGeneralAdminDiscardTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 608 + # panGeneralBootstrapFailureTrap + # + # Bootstrap vm failed authentication with panorama + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralBootstrapFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralBootstrapFailureTrap" + root.out.event.category.name = "panGeneralBootstrapFailureTrap" + root.out.event.message = "panGeneralBootstrapFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralBootstrapFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralBootstrapFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralBootstrapFailureTrap - UNEXPECTED VARBINDS for panGeneralBootstrapFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 609 + # panGeneralWfRealtimeEnabledTrap + # + # WildFire Real-time feature enabled + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeEnabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeEnabledTrap" + root.out.event.category.name = "panGeneralWfRealtimeEnabledTrap" + root.out.event.message = "panGeneralWfRealtimeEnabledTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeEnabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeEnabledTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralWfRealtimeEnabledTrap - UNEXPECTED VARBINDS for panGeneralWfRealtimeEnabledTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 610 + # panGeneralWfRealtimeDisabledTrap + # + # WildFire Real-time feature disabled + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeDisabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeDisabledTrap" + root.out.event.category.name = "panGeneralWfRealtimeDisabledTrap" + root.out.event.message = "panGeneralWfRealtimeDisabledTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeDisabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralWfRealtimeDisabledTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralWfRealtimeDisabledTrap - UNEXPECTED VARBINDS for panGeneralWfRealtimeDisabledTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 611 + # panGeneralInodeUsageLimitExceededTrap + # + # Inode Usage Exceeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralInodeUsageLimitExceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralInodeUsageLimitExceededTrap" + root.out.event.category.name = "panGeneralInodeUsageLimitExceededTrap" + root.out.event.message = "panGeneralInodeUsageLimitExceededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralInodeUsageLimitExceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGeneralInodeUsageLimitExceededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGeneralInodeUsageLimitExceededTrap - UNEXPECTED VARBINDS for panGeneralInodeUsageLimitExceededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 700 + # panGlobalprotectgatewayRegistSuccTrap + # + # GlobalProtect gateway user login succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistSuccTrap" + root.out.event.category.name = "panGlobalprotectgatewayRegistSuccTrap" + root.out.event.message = "panGlobalprotectgatewayRegistSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayRegistSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayRegistSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 701 + # panGlobalprotectgatewayRegistFailTrap + # + # GlobalProtect gateway user login failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistFailTrap" + root.out.event.category.name = "panGlobalprotectgatewayRegistFailTrap" + root.out.event.message = "panGlobalprotectgatewayRegistFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRegistFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayRegistFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayRegistFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 702 + # panGlobalprotectgatewayLogoutSuccTrap + # + # GlobalProtect gateway user logout succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutSuccTrap" + root.out.event.category.name = "panGlobalprotectgatewayLogoutSuccTrap" + root.out.event.message = "panGlobalprotectgatewayLogoutSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayLogoutSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayLogoutSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 703 + # panGlobalprotectgatewayLogoutFailTrap + # + # GlobalProtect gateway user logout failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutFailTrap" + root.out.event.category.name = "panGlobalprotectgatewayLogoutFailTrap" + root.out.event.message = "panGlobalprotectgatewayLogoutFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayLogoutFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayLogoutFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayLogoutFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 704 + # panGlobalProtectGatewayConfigSuccTrap + # + # GlobalProtect gateway client configuration generated. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigSuccTrap" + root.out.event.category.name = "panGlobalProtectGatewayConfigSuccTrap" + root.out.event.message = "panGlobalProtectGatewayConfigSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayConfigSuccTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayConfigSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 705 + # panGlobalProtectGatewayConfigFailTrap + # + # GlobalProtect gateway client configuration failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigFailTrap" + root.out.event.category.name = "panGlobalProtectGatewayConfigFailTrap" + root.out.event.message = "panGlobalProtectGatewayConfigFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayConfigFailTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayConfigFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 706 + # panGlobalProtectGatewayConfigReleaseTrap + # + # GlobalProtect gateway client configuration released. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigReleaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigReleaseTrap" + root.out.event.category.name = "panGlobalProtectGatewayConfigReleaseTrap" + root.out.event.message = "panGlobalProtectGatewayConfigReleaseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigReleaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayConfigReleaseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayConfigReleaseTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayConfigReleaseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 707 + # panGlobalProtectGatewaySwitchSuccTrap + # + # GlobalProtect gateway client switch to SSL tunnel mode succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchSuccTrap" + root.out.event.category.name = "panGlobalProtectGatewaySwitchSuccTrap" + root.out.event.message = "panGlobalProtectGatewaySwitchSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewaySwitchSuccTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewaySwitchSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 708 + # panGlobalProtectGatewaySwitchFailTrap + # + # GlobalProtect gateway client switch to SSL tunnel mode failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchFailTrap" + root.out.event.category.name = "panGlobalProtectGatewaySwitchFailTrap" + root.out.event.message = "panGlobalProtectGatewaySwitchFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewaySwitchFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewaySwitchFailTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewaySwitchFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 709 + # panGlobalProtectGatewayAuthSuccTrap + # + # GlobalProtect gateway user authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthSuccTrap" + root.out.event.category.name = "panGlobalProtectGatewayAuthSuccTrap" + root.out.event.message = "panGlobalProtectGatewayAuthSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayAuthSuccTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayAuthSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 710 + # panGlobalProtectGatewayAuthFailTrap + # + # GlobalProtect gateway user authentication failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthFailTrap" + root.out.event.category.name = "panGlobalProtectGatewayAuthFailTrap" + root.out.event.message = "panGlobalProtectGatewayAuthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAuthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayAuthFailTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayAuthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 711 + # panGlobalProtectGatewayAgentMsgTrap + # + # GlobalProtect gateway agent message. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAgentMsgTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAgentMsgTrap" + root.out.event.category.name = "panGlobalProtectGatewayAgentMsgTrap" + root.out.event.message = "panGlobalProtectGatewayAgentMsgTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAgentMsgTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayAgentMsgTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayAgentMsgTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayAgentMsgTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 712 + # panGlobalProtectGatewayInvalidLicenseTrap + # + # GlobalProtect gateway invalid gateway license. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInvalidLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInvalidLicenseTrap" + root.out.event.category.name = "panGlobalProtectGatewayInvalidLicenseTrap" + root.out.event.message = "panGlobalProtectGatewayInvalidLicenseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInvalidLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInvalidLicenseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayInvalidLicenseTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayInvalidLicenseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 713 + # panGlobalProtectGatewayInheritanceTrap + # + # GlobalProtect gateway inheritance. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInheritanceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInheritanceTrap" + root.out.event.category.name = "panGlobalProtectGatewayInheritanceTrap" + root.out.event.message = "panGlobalProtectGatewayInheritanceTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInheritanceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectGatewayInheritanceTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectGatewayInheritanceTrap - UNEXPECTED VARBINDS for panGlobalProtectGatewayInheritanceTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 714 + # panGlobalProtectPortalConfigSuccTrap + # + # GlobalProtect portal client configuration generated. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigSuccTrap" + root.out.event.category.name = "panGlobalProtectPortalConfigSuccTrap" + root.out.event.message = "panGlobalProtectPortalConfigSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectPortalConfigSuccTrap - UNEXPECTED VARBINDS for panGlobalProtectPortalConfigSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 715 + # panGlobalProtectPortalConfigFailTrap + # + # GlobalProtect portal client configuration failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigFailTrap" + root.out.event.category.name = "panGlobalProtectPortalConfigFailTrap" + root.out.event.message = "panGlobalProtectPortalConfigFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalConfigFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectPortalConfigFailTrap - UNEXPECTED VARBINDS for panGlobalProtectPortalConfigFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 716 + # panGlobalProtectPortalAuthSuccTrap + # + # GlobalProtect portal user authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthSuccTrap" + root.out.event.category.name = "panGlobalProtectPortalAuthSuccTrap" + root.out.event.message = "panGlobalProtectPortalAuthSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectPortalAuthSuccTrap - UNEXPECTED VARBINDS for panGlobalProtectPortalAuthSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 717 + # panGlobalProtectPortalAuthFailTrap + # + # GlobalProtect portal user authentication failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthFailTrap" + root.out.event.category.name = "panGlobalProtectPortalAuthFailTrap" + root.out.event.message = "panGlobalProtectPortalAuthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalProtectPortalAuthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalProtectPortalAuthFailTrap - UNEXPECTED VARBINDS for panGlobalProtectPortalAuthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 718 + # panGlobalprotectgatewaySatauthSuccTrap + # + # GlobalProtect gateway satellite authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthSuccTrap" + root.out.event.category.name = "panGlobalprotectgatewaySatauthSuccTrap" + root.out.event.message = "panGlobalprotectgatewaySatauthSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewaySatauthSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewaySatauthSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 719 + # panGlobalprotectgatewaySatauthFailTrap + # + # GlobalProtect gateway satellite authentication failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthFailTrap" + root.out.event.category.name = "panGlobalprotectgatewaySatauthFailTrap" + root.out.event.message = "panGlobalprotectgatewaySatauthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewaySatauthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewaySatauthFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewaySatauthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 720 + # panGlobalprotectgatewayRouteAddFailTrap + # + # GlobalProtect gateway route add failure. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteAddFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteAddFailTrap" + root.out.event.category.name = "panGlobalprotectgatewayRouteAddFailTrap" + root.out.event.message = "panGlobalprotectgatewayRouteAddFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteAddFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteAddFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayRouteAddFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayRouteAddFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 721 + # panGlobalprotectgatewayRouteResetFailTrap + # + # GlobalProtect gateway route reset failure. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteResetFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteResetFailTrap" + root.out.event.category.name = "panGlobalprotectgatewayRouteResetFailTrap" + root.out.event.message = "panGlobalprotectgatewayRouteResetFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteResetFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayRouteResetFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayRouteResetFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayRouteResetFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 722 + # panGlobalprotectgatewayTunUpTrap + # + # GlobalProtect Site to Site Gateway tunnel is up. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunUpTrap" + root.out.event.category.name = "panGlobalprotectgatewayTunUpTrap" + root.out.event.message = "panGlobalprotectgatewayTunUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayTunUpTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayTunUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 723 + # panGlobalprotectgatewayTunDownTrap + # + # GlobalProtect Site to Site Gateway tunnel is down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDownTrap" + root.out.event.category.name = "panGlobalprotectgatewayTunDownTrap" + root.out.event.message = "panGlobalprotectgatewayTunDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayTunDownTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayTunDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 724 + # panGlobalprotectgatewayDupSubnetsTrap + # + # GlobalProtect Site to Site Gateway detected duplicate Satellite subnets. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDupSubnetsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDupSubnetsTrap" + root.out.event.category.name = "panGlobalprotectgatewayDupSubnetsTrap" + root.out.event.message = "panGlobalprotectgatewayDupSubnetsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDupSubnetsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDupSubnetsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayDupSubnetsTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayDupSubnetsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 725 + # panGlobalprotectgatewayDeniedRoutesTrap + # + # GlobalProtect Site to Site Gateway denied Satellite routes. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDeniedRoutesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDeniedRoutesTrap" + root.out.event.category.name = "panGlobalprotectgatewayDeniedRoutesTrap" + root.out.event.message = "panGlobalprotectgatewayDeniedRoutesTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDeniedRoutesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayDeniedRoutesTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayDeniedRoutesTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayDeniedRoutesTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 726 + # panGlobalprotectgatewayTunMonDownTrap + # + # GlobalProtect Site to Site Gateway tunnel monitor down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonDownTrap" + root.out.event.category.name = "panGlobalprotectgatewayTunMonDownTrap" + root.out.event.message = "panGlobalprotectgatewayTunMonDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayTunMonDownTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayTunMonDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 727 + # panGlobalprotectgatewayTunMonUpTrap + # + # GlobalProtect Site to Site Gateway tunnel monitor up. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonUpTrap" + root.out.event.category.name = "panGlobalprotectgatewayTunMonUpTrap" + root.out.event.message = "panGlobalprotectgatewayTunMonUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunMonUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayTunMonUpTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayTunMonUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 728 + # panGlobalprotectportalSatconfigSuccTrap + # + # GlobalProtect portal satellite configuration generated. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigSuccTrap" + root.out.event.category.name = "panGlobalprotectportalSatconfigSuccTrap" + root.out.event.message = "panGlobalprotectportalSatconfigSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSatconfigSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSatconfigSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 729 + # panGlobalprotectportalSatconfigFailTrap + # + # GlobalProtect portal satellite configuration failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigFailTrap" + root.out.event.category.name = "panGlobalprotectportalSatconfigFailTrap" + root.out.event.message = "panGlobalprotectportalSatconfigFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatconfigFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSatconfigFailTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSatconfigFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 730 + # panGlobalprotectportalSatauthSuccTrap + # + # GlobalProtect portal satellite authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthSuccTrap" + root.out.event.category.name = "panGlobalprotectportalSatauthSuccTrap" + root.out.event.message = "panGlobalprotectportalSatauthSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSatauthSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSatauthSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 731 + # panGlobalprotectportalSatauthFailTrap + # + # GlobalProtect portal satellite authentication failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthFailTrap" + root.out.event.category.name = "panGlobalprotectportalSatauthFailTrap" + root.out.event.message = "panGlobalprotectportalSatauthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatauthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSatauthFailTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSatauthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 732 + # panGlobalprotectportalSatcertSuccTrap + # + # GlobalProtect portal satellite certificate success. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertSuccTrap" + root.out.event.category.name = "panGlobalprotectportalSatcertSuccTrap" + root.out.event.message = "panGlobalprotectportalSatcertSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSatcertSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSatcertSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 733 + # panGlobalprotectportalSatcertFailTrap + # + # GlobalProtect portal satellite certificate failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertFailTrap" + root.out.event.category.name = "panGlobalprotectportalSatcertFailTrap" + root.out.event.message = "panGlobalprotectportalSatcertFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSatcertFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSatcertFailTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSatcertFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 734 + # panGlobalprotectgatewayTunHardlifetimeExpiredTrap + # + # GlobalProtect Site to Site Gateway tunnel lifetime expired. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunHardlifetimeExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunHardlifetimeExpiredTrap" + root.out.event.category.name = "panGlobalprotectgatewayTunHardlifetimeExpiredTrap" + root.out.event.message = "panGlobalprotectgatewayTunHardlifetimeExpiredTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunHardlifetimeExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunHardlifetimeExpiredTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayTunHardlifetimeExpiredTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayTunHardlifetimeExpiredTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 735 + # panGlobalprotectgatewayTunDpInstallErrTrap + # + # GlobalProtect Site to Site Gateway tunnel dataplane install error. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDpInstallErrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDpInstallErrTrap" + root.out.event.category.name = "panGlobalprotectgatewayTunDpInstallErrTrap" + root.out.event.message = "panGlobalprotectgatewayTunDpInstallErrTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDpInstallErrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayTunDpInstallErrTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayTunDpInstallErrTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayTunDpInstallErrTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 736 + # panGlobalprotectportalGenportalcookieSuccTrap + # + # GlobalProtect portal generate portal cookie success. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieSuccTrap" + root.out.event.category.name = "panGlobalprotectportalGenportalcookieSuccTrap" + root.out.event.message = "panGlobalprotectportalGenportalcookieSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalGenportalcookieSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectportalGenportalcookieSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 737 + # panGlobalprotectportalGenportalcookieFailTrap + # + # GlobalProtect portal generate portal cookie failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieFailTrap" + root.out.event.category.name = "panGlobalprotectportalGenportalcookieFailTrap" + root.out.event.message = "panGlobalprotectportalGenportalcookieFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalGenportalcookieFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalGenportalcookieFailTrap - UNEXPECTED VARBINDS for panGlobalprotectportalGenportalcookieFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 738 + # panGlobalprotectgatewayFramedIpSuccTrap + # + # Framed IP retrieval success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpSuccTrap" + root.out.event.category.name = "panGlobalprotectgatewayFramedIpSuccTrap" + root.out.event.message = "panGlobalprotectgatewayFramedIpSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayFramedIpSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayFramedIpSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 739 + # panGlobalprotectgatewayFramedIpFailTrap + # + # Framed IP retrieval failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpFailTrap" + root.out.event.category.name = "panGlobalprotectgatewayFramedIpFailTrap" + root.out.event.message = "panGlobalprotectgatewayFramedIpFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayFramedIpFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayFramedIpFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 740 + # panGlobalprotectgatewayGencookieSuccTrap + # + # GlobalProtect gateway generate cookie success. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieSuccTrap" + root.out.event.category.name = "panGlobalprotectgatewayGencookieSuccTrap" + root.out.event.message = "panGlobalprotectgatewayGencookieSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayGencookieSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayGencookieSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 741 + # panGlobalprotectgatewayGencookieFailTrap + # + # GlobalProtect gateway generate cookie failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieFailTrap" + root.out.event.category.name = "panGlobalprotectgatewayGencookieFailTrap" + root.out.event.message = "panGlobalprotectgatewayGencookieFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayGencookieFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayGencookieFailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayGencookieFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 742 + # panGlobalprotectgatewayFramedIpv6SuccTrap + # + # Framed IPv6 retrieval success. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6SuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6SuccTrap" + root.out.event.category.name = "panGlobalprotectgatewayFramedIpv6SuccTrap" + root.out.event.message = "panGlobalprotectgatewayFramedIpv6SuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6SuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6SuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayFramedIpv6SuccTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayFramedIpv6SuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 743 + # panGlobalprotectgatewayFramedIpv6FailTrap + # + # Framed IPv6 retrieval failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6FailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6FailTrap" + root.out.event.category.name = "panGlobalprotectgatewayFramedIpv6FailTrap" + root.out.event.message = "panGlobalprotectgatewayFramedIpv6FailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6FailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectgatewayFramedIpv6FailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectgatewayFramedIpv6FailTrap - UNEXPECTED VARBINDS for panGlobalprotectgatewayFramedIpv6FailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 744 + # panGlobalprotectportalLogoutSuccTrap + # + # GlobalProtect portal user logout succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutSuccTrap" + root.out.event.category.name = "panGlobalprotectportalLogoutSuccTrap" + root.out.event.message = "panGlobalprotectportalLogoutSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalLogoutSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectportalLogoutSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 745 + # panGlobalprotectportalLogoutFailTrap + # + # GlobalProtect portal user logout failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutFailTrap" + root.out.event.category.name = "panGlobalprotectportalLogoutFailTrap" + root.out.event.message = "panGlobalprotectportalLogoutFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalLogoutFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalLogoutFailTrap - UNEXPECTED VARBINDS for panGlobalprotectportalLogoutFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 746 + # panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap + # + # GlobalProtect portal set satellite cookie expiration success. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap" + root.out.event.category.name = "panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap" + root.out.event.message = "panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSetSatelliteCookieExpirationSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 747 + # panGlobalprotectportalSetSatelliteCookieExpirationFailTrap + # + # GlobalProtect portal set satellite cookie expiration failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationFailTrap" + root.out.event.category.name = "panGlobalprotectportalSetSatelliteCookieExpirationFailTrap" + root.out.event.message = "panGlobalprotectportalSetSatelliteCookieExpirationFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGlobalprotectportalSetSatelliteCookieExpirationFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGlobalprotectportalSetSatelliteCookieExpirationFailTrap - UNEXPECTED VARBINDS for panGlobalprotectportalSetSatelliteCookieExpirationFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 800 + # panHAPreemptTrap + # + # HA device going passive due to preemption + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptTrap" + root.out.event.category.name = "panHAPreemptTrap" + root.out.event.message = "panHAPreemptTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPreemptTrap - UNEXPECTED VARBINDS for panHAPreemptTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 801 + # panHAStateChangeTrap + # + # HA device has changed states + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateChangeTrap" + root.out.event.category.name = "panHAStateChangeTrap" + root.out.event.message = "panHAStateChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAStateChangeTrap - UNEXPECTED VARBINDS for panHAStateChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 802 + # panHAStateOverrideTrap + # + # HA device state override change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateOverrideTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateOverrideTrap" + root.out.event.category.name = "panHAStateOverrideTrap" + root.out.event.message = "panHAStateOverrideTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateOverrideTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAStateOverrideTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAStateOverrideTrap - UNEXPECTED VARBINDS for panHAStateOverrideTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 803 + # panHADataplaneDownTrap + # + # HA has detected a dataplane down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHADataplaneDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHADataplaneDownTrap" + root.out.event.category.name = "panHADataplaneDownTrap" + root.out.event.message = "panHADataplaneDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHADataplaneDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHADataplaneDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHADataplaneDownTrap - UNEXPECTED VARBINDS for panHADataplaneDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 804 + # panHAPolicyPushFailTrap + # + # HA policy push to dataplane failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPolicyPushFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPolicyPushFailTrap" + root.out.event.category.name = "panHAPolicyPushFailTrap" + root.out.event.message = "panHAPolicyPushFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPolicyPushFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPolicyPushFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPolicyPushFailTrap - UNEXPECTED VARBINDS for panHAPolicyPushFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 805 + # panHAHa1LinkChangeTrap + # + # HA1 peer link change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa1LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa1LinkChangeTrap" + root.out.event.category.name = "panHAHa1LinkChangeTrap" + root.out.event.message = "panHAHa1LinkChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa1LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa1LinkChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAHa1LinkChangeTrap - UNEXPECTED VARBINDS for panHAHa1LinkChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 806 + # panHAHa2LinkChangeTrap + # + # HA2 peer link change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2LinkChangeTrap" + root.out.event.category.name = "panHAHa2LinkChangeTrap" + root.out.event.message = "panHAHa2LinkChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2LinkChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAHa2LinkChangeTrap - UNEXPECTED VARBINDS for panHAHa2LinkChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 807 + # panHAConnectChangeTrap + # + # HA peer connection change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConnectChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConnectChangeTrap" + root.out.event.category.name = "panHAConnectChangeTrap" + root.out.event.message = "panHAConnectChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConnectChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConnectChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAConnectChangeTrap - UNEXPECTED VARBINDS for panHAConnectChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 808 + # panHAPathMonitorDownTrap + # + # HA monitored path down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorDownTrap" + root.out.event.category.name = "panHAPathMonitorDownTrap" + root.out.event.message = "panHAPathMonitorDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPathMonitorDownTrap - UNEXPECTED VARBINDS for panHAPathMonitorDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 809 + # panHALinkMonitorDownTrap + # + # HA monitored link down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorDownTrap" + root.out.event.category.name = "panHALinkMonitorDownTrap" + root.out.event.message = "panHALinkMonitorDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHALinkMonitorDownTrap - UNEXPECTED VARBINDS for panHALinkMonitorDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 810 + # panHAHa3LinkChangeTrap + # + # HA3 peer link change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa3LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa3LinkChangeTrap" + root.out.event.category.name = "panHAHa3LinkChangeTrap" + root.out.event.message = "panHAHa3LinkChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa3LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa3LinkChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAHa3LinkChangeTrap - UNEXPECTED VARBINDS for panHAHa3LinkChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 811 + # panHAPathMonitorUpTrap + # + # HA monitored path up + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorUpTrap" + root.out.event.category.name = "panHAPathMonitorUpTrap" + root.out.event.message = "panHAPathMonitorUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPathMonitorUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPathMonitorUpTrap - UNEXPECTED VARBINDS for panHAPathMonitorUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 812 + # panHALinkMonitorUpTrap + # + # HA monitored link up + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorUpTrap" + root.out.event.category.name = "panHALinkMonitorUpTrap" + root.out.event.message = "panHALinkMonitorUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHALinkMonitorUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHALinkMonitorUpTrap - UNEXPECTED VARBINDS for panHALinkMonitorUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 813 + # panHAHa4LinkChangeTrap + # + # HA4 peer link change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa4LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa4LinkChangeTrap" + root.out.event.category.name = "panHAHa4LinkChangeTrap" + root.out.event.message = "panHAHa4LinkChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa4LinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa4LinkChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAHa4LinkChangeTrap - UNEXPECTED VARBINDS for panHAHa4LinkChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 814 + # panHAPeerSyncFailureTrap + # + # HA can't synch non-configuration controlplane data to peer + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSyncFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSyncFailureTrap" + root.out.event.category.name = "panHAPeerSyncFailureTrap" + root.out.event.message = "panHAPeerSyncFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSyncFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSyncFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerSyncFailureTrap - UNEXPECTED VARBINDS for panHAPeerSyncFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 815 + # panHAConfigFailureTrap + # + # HA configuration push to peer has failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigFailureTrap" + root.out.event.category.name = "panHAConfigFailureTrap" + root.out.event.message = "panHAConfigFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAConfigFailureTrap - UNEXPECTED VARBINDS for panHAConfigFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 816 + # panHAConfigNotSynchTrap + # + # HA config not automatically synched + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigNotSynchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigNotSynchTrap" + root.out.event.category.name = "panHAConfigNotSynchTrap" + root.out.event.message = "panHAConfigNotSynchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigNotSynchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAConfigNotSynchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAConfigNotSynchTrap - UNEXPECTED VARBINDS for panHAConfigNotSynchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 817 + # panHAPeerErrorTrap + # + # HA error message from peer + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerErrorTrap" + root.out.event.category.name = "panHAPeerErrorTrap" + root.out.event.message = "panHAPeerErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerErrorTrap - UNEXPECTED VARBINDS for panHAPeerErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 818 + # panHAPre13Trap + # + # HA peer is running pre-1.3 software + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre13Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre13Trap" + root.out.event.category.name = "panHAPre13Trap" + root.out.event.message = "panHAPre13Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre13Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre13Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPre13Trap - UNEXPECTED VARBINDS for panHAPre13Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 819 + # panHAPre20Trap + # + # HA peer is running pre-2.0 software + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre20Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre20Trap" + root.out.event.category.name = "panHAPre20Trap" + root.out.event.message = "panHAPre20Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre20Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPre20Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPre20Trap - UNEXPECTED VARBINDS for panHAPre20Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 820 + # panHAPeerVersionMatchTrap + # + # HA peer other software version matching + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionMatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionMatchTrap" + root.out.event.category.name = "panHAPeerVersionMatchTrap" + root.out.event.message = "panHAPeerVersionMatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionMatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionMatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerVersionMatchTrap - UNEXPECTED VARBINDS for panHAPeerVersionMatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 821 + # panHAPeerVersionSupportedTrap + # + # HA peer version is supported with our local version + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionSupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionSupportedTrap" + root.out.event.category.name = "panHAPeerVersionSupportedTrap" + root.out.event.message = "panHAPeerVersionSupportedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionSupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionSupportedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerVersionSupportedTrap - UNEXPECTED VARBINDS for panHAPeerVersionSupportedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 822 + # panHAPeerVersionUnsupportedTrap + # + # HA peer version is not supported with our local version + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionUnsupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionUnsupportedTrap" + root.out.event.category.name = "panHAPeerVersionUnsupportedTrap" + root.out.event.message = "panHAPeerVersionUnsupportedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionUnsupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionUnsupportedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerVersionUnsupportedTrap - UNEXPECTED VARBINDS for panHAPeerVersionUnsupportedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 823 + # panHAPeerVersionDegradedTrap + # + # HA peer version is degraded in our local version + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionDegradedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionDegradedTrap" + root.out.event.category.name = "panHAPeerVersionDegradedTrap" + root.out.event.message = "panHAPeerVersionDegradedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionDegradedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerVersionDegradedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerVersionDegradedTrap - UNEXPECTED VARBINDS for panHAPeerVersionDegradedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 824 + # panHAPeerCompatMismatchTrap + # + # HA peer compatibility mismatch + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMismatchTrap" + root.out.event.category.name = "panHAPeerCompatMismatchTrap" + root.out.event.message = "panHAPeerCompatMismatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMismatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerCompatMismatchTrap - UNEXPECTED VARBINDS for panHAPeerCompatMismatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 825 + # panHAPeerCompatMatchTrap + # + # HA peer compatibility now matches + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMatchTrap" + root.out.event.category.name = "panHAPeerCompatMatchTrap" + root.out.event.message = "panHAPeerCompatMatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatMatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerCompatMatchTrap - UNEXPECTED VARBINDS for panHAPeerCompatMatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 826 + # panHAPeerCompatFailTrap + # + # HA peer compatibility failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatFailTrap" + root.out.event.category.name = "panHAPeerCompatFailTrap" + root.out.event.message = "panHAPeerCompatFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerCompatFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerCompatFailTrap - UNEXPECTED VARBINDS for panHAPeerCompatFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 827 + # panHAPeerSplitBrainTrap + # + # HA peer detected split-brain + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSplitBrainTrap" + root.out.event.category.name = "panHAPeerSplitBrainTrap" + root.out.event.message = "panHAPeerSplitBrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerSplitBrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerSplitBrainTrap - UNEXPECTED VARBINDS for panHAPeerSplitBrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 828 + # panHASplitBrainTrap + # + # HA device detected split-brain + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASplitBrainTrap" + root.out.event.category.name = "panHASplitBrainTrap" + root.out.event.message = "panHASplitBrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASplitBrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASplitBrainTrap - UNEXPECTED VARBINDS for panHASplitBrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 829 + # panHAPreemptLoopTrap + # + # HA device going suspend due to preemption-loop + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptLoopTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptLoopTrap" + root.out.event.category.name = "panHAPreemptLoopTrap" + root.out.event.message = "panHAPreemptLoopTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptLoopTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPreemptLoopTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPreemptLoopTrap - UNEXPECTED VARBINDS for panHAPreemptLoopTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 830 + # panHANonFunctionalLoopTrap + # + # HA device going suspend due to non-functional-loop + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANonFunctionalLoopTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANonFunctionalLoopTrap" + root.out.event.category.name = "panHANonFunctionalLoopTrap" + root.out.event.message = "panHANonFunctionalLoopTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANonFunctionalLoopTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANonFunctionalLoopTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHANonFunctionalLoopTrap - UNEXPECTED VARBINDS for panHANonFunctionalLoopTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 831 + # panHAPeerShutdownTrap + # + # HA peer change caused a local shutdown + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerShutdownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerShutdownTrap" + root.out.event.category.name = "panHAPeerShutdownTrap" + root.out.event.message = "panHAPeerShutdownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerShutdownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAPeerShutdownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAPeerShutdownTrap - UNEXPECTED VARBINDS for panHAPeerShutdownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 832 + # panHANfsPanlogsFailTrap + # + # NFS panlogs failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANfsPanlogsFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANfsPanlogsFailTrap" + root.out.event.category.name = "panHANfsPanlogsFailTrap" + root.out.event.message = "panHANfsPanlogsFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANfsPanlogsFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHANfsPanlogsFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHANfsPanlogsFailTrap - UNEXPECTED VARBINDS for panHANfsPanlogsFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 833 + # panHAInternalHaErrorTrap + # + # HA is not working properly; please call support + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAInternalHaErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAInternalHaErrorTrap" + root.out.event.category.name = "panHAInternalHaErrorTrap" + root.out.event.message = "panHAInternalHaErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAInternalHaErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAInternalHaErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAInternalHaErrorTrap - UNEXPECTED VARBINDS for panHAInternalHaErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 834 + # panHASystemFailureTrap + # + # System failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASystemFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASystemFailureTrap" + root.out.event.category.name = "panHASystemFailureTrap" + root.out.event.message = "panHASystemFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASystemFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASystemFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASystemFailureTrap - UNEXPECTED VARBINDS for panHASystemFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 835 + # panHAHa2KeepAliveTrap + # + # HA2 keep alive status to peer device changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2KeepAliveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2KeepAliveTrap" + root.out.event.category.name = "panHAHa2KeepAliveTrap" + root.out.event.message = "panHAHa2KeepAliveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2KeepAliveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAHa2KeepAliveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAHa2KeepAliveTrap - UNEXPECTED VARBINDS for panHAHa2KeepAliveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 836 + # panHASlotFailureTrap + # + # Slot in failure state + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotFailureTrap" + root.out.event.category.name = "panHASlotFailureTrap" + root.out.event.message = "panHASlotFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASlotFailureTrap - UNEXPECTED VARBINDS for panHASlotFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 837 + # panHASlotMismatchTrap + # + # Slot(s) in mismatch state + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotMismatchTrap" + root.out.event.category.name = "panHASlotMismatchTrap" + root.out.event.message = "panHASlotMismatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotMismatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASlotMismatchTrap - UNEXPECTED VARBINDS for panHASlotMismatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 838 + # panHASlotControlFailureTrap + # + # Slot ha-pair command failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlFailureTrap" + root.out.event.category.name = "panHASlotControlFailureTrap" + root.out.event.message = "panHASlotControlFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASlotControlFailureTrap - UNEXPECTED VARBINDS for panHASlotControlFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 839 + # panHASlotControlEventTrap + # + # Slot ha-pair command event + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlEventTrap" + root.out.event.category.name = "panHASlotControlEventTrap" + root.out.event.message = "panHASlotControlEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASlotControlEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASlotControlEventTrap - UNEXPECTED VARBINDS for panHASlotControlEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 840 + # panHASessionSynchTrap + # + # Session synchronization messages + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASessionSynchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASessionSynchTrap" + root.out.event.category.name = "panHASessionSynchTrap" + root.out.event.message = "panHASessionSynchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASessionSynchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHASessionSynchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHASessionSynchTrap - UNEXPECTED VARBINDS for panHASessionSynchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 841 + # panHAVmAwsInterfaceTrap + # + # AWS VM interface error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAVmAwsInterfaceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAVmAwsInterfaceTrap" + root.out.event.category.name = "panHAVmAwsInterfaceTrap" + root.out.event.message = "panHAVmAwsInterfaceTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAVmAwsInterfaceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHAVmAwsInterfaceTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHAVmAwsInterfaceTrap - UNEXPECTED VARBINDS for panHAVmAwsInterfaceTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 900 + # panHWDiskErrorsTrap + # + # Hard drive physical issues + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWDiskErrorsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWDiskErrorsTrap" + root.out.event.category.name = "panHWDiskErrorsTrap" + root.out.event.message = "panHWDiskErrorsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWDiskErrorsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWDiskErrorsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWDiskErrorsTrap - UNEXPECTED VARBINDS for panHWDiskErrorsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 901 + # panHWSlotUpTrap + # + # Slot is up and functional + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUpTrap" + root.out.event.category.name = "panHWSlotUpTrap" + root.out.event.message = "panHWSlotUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotUpTrap - UNEXPECTED VARBINDS for panHWSlotUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 902 + # panHWInsufficientPowerTrap + # + # Not enough power to start slot + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWInsufficientPowerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWInsufficientPowerTrap" + root.out.event.category.name = "panHWInsufficientPowerTrap" + root.out.event.message = "panHWInsufficientPowerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWInsufficientPowerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWInsufficientPowerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWInsufficientPowerTrap - UNEXPECTED VARBINDS for panHWInsufficientPowerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 903 + # panHWSlotUnsupportedTrap + # + # Not supported card detected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUnsupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUnsupportedTrap" + root.out.event.category.name = "panHWSlotUnsupportedTrap" + root.out.event.message = "panHWSlotUnsupportedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUnsupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotUnsupportedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotUnsupportedTrap - UNEXPECTED VARBINDS for panHWSlotUnsupportedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 904 + # panHWSlotStartingTrap + # + # Slot is starting + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStartingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStartingTrap" + root.out.event.category.name = "panHWSlotStartingTrap" + root.out.event.message = "panHWSlotStartingTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStartingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStartingTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotStartingTrap - UNEXPECTED VARBINDS for panHWSlotStartingTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 905 + # panHWSlotStoppingTrap + # + # Slot is stopping + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStoppingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStoppingTrap" + root.out.event.category.name = "panHWSlotStoppingTrap" + root.out.event.message = "panHWSlotStoppingTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStoppingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotStoppingTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotStoppingTrap - UNEXPECTED VARBINDS for panHWSlotStoppingTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 906 + # panHWSlotFailureTrap + # + # Slot has seen a failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotFailureTrap" + root.out.event.category.name = "panHWSlotFailureTrap" + root.out.event.message = "panHWSlotFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotFailureTrap - UNEXPECTED VARBINDS for panHWSlotFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 907 + # panHWSlotPoweroffTrap + # + # Slot is powered off + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotPoweroffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotPoweroffTrap" + root.out.event.category.name = "panHWSlotPoweroffTrap" + root.out.event.message = "panHWSlotPoweroffTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotPoweroffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotPoweroffTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotPoweroffTrap - UNEXPECTED VARBINDS for panHWSlotPoweroffTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 908 + # panHWSlotAdminpoweroffTrap + # + # Slot is admin-powered off + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotAdminpoweroffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotAdminpoweroffTrap" + root.out.event.category.name = "panHWSlotAdminpoweroffTrap" + root.out.event.message = "panHWSlotAdminpoweroffTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotAdminpoweroffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotAdminpoweroffTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotAdminpoweroffTrap - UNEXPECTED VARBINDS for panHWSlotAdminpoweroffTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 909 + # panHWSlotInsertedTrap + # + # Card inserted in slot + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotInsertedTrap" + root.out.event.category.name = "panHWSlotInsertedTrap" + root.out.event.message = "panHWSlotInsertedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotInsertedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotInsertedTrap - UNEXPECTED VARBINDS for panHWSlotInsertedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 910 + # panHWSlotRemovedTrap + # + # Card removed from slot + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotRemovedTrap" + root.out.event.category.name = "panHWSlotRemovedTrap" + root.out.event.message = "panHWSlotRemovedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWSlotRemovedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWSlotRemovedTrap - UNEXPECTED VARBINDS for panHWSlotRemovedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 911 + # panHWPsInsertedTrap + # + # Power supply inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsInsertedTrap" + root.out.event.category.name = "panHWPsInsertedTrap" + root.out.event.message = "panHWPsInsertedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsInsertedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWPsInsertedTrap - UNEXPECTED VARBINDS for panHWPsInsertedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 912 + # panHWPsRemovedTrap + # + # Power supply removed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsRemovedTrap" + root.out.event.category.name = "panHWPsRemovedTrap" + root.out.event.message = "panHWPsRemovedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsRemovedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWPsRemovedTrap - UNEXPECTED VARBINDS for panHWPsRemovedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 913 + # panHWPsFailureTrap + # + # Power supply failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsFailureTrap" + root.out.event.category.name = "panHWPsFailureTrap" + root.out.event.message = "panHWPsFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWPsFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWPsFailureTrap - UNEXPECTED VARBINDS for panHWPsFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 914 + # panHWFanInsertedTrap + # + # Fan tray inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanInsertedTrap" + root.out.event.category.name = "panHWFanInsertedTrap" + root.out.event.message = "panHWFanInsertedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanInsertedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWFanInsertedTrap - UNEXPECTED VARBINDS for panHWFanInsertedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 915 + # panHWFanRemovedTrap + # + # Fan tray removed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanRemovedTrap" + root.out.event.category.name = "panHWFanRemovedTrap" + root.out.event.message = "panHWFanRemovedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanRemovedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWFanRemovedTrap - UNEXPECTED VARBINDS for panHWFanRemovedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 916 + # panHWFanFailureTrap + # + # Fan failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanFailureTrap" + root.out.event.category.name = "panHWFanFailureTrap" + root.out.event.message = "panHWFanFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFanFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWFanFailureTrap - UNEXPECTED VARBINDS for panHWFanFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 917 + # panHWBootstrapImageErrorTrap + # + # Booting from external device image failed, bootstrap aborted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageErrorTrap" + root.out.event.category.name = "panHWBootstrapImageErrorTrap" + root.out.event.message = "panHWBootstrapImageErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapImageErrorTrap - UNEXPECTED VARBINDS for panHWBootstrapImageErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 918 + # panHWBootstrapConfigNotFoundTrap + # + # No bootstrap config found on the external device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapConfigNotFoundTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapConfigNotFoundTrap" + root.out.event.category.name = "panHWBootstrapConfigNotFoundTrap" + root.out.event.message = "panHWBootstrapConfigNotFoundTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapConfigNotFoundTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapConfigNotFoundTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapConfigNotFoundTrap - UNEXPECTED VARBINDS for panHWBootstrapConfigNotFoundTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 919 + # panHWBadParamsBootstrapConfigTrap + # + # Missing or incorrect mandatory parameters in the bootstrap config file + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBadParamsBootstrapConfigTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBadParamsBootstrapConfigTrap" + root.out.event.category.name = "panHWBadParamsBootstrapConfigTrap" + root.out.event.message = "panHWBadParamsBootstrapConfigTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBadParamsBootstrapConfigTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBadParamsBootstrapConfigTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBadParamsBootstrapConfigTrap - UNEXPECTED VARBINDS for panHWBadParamsBootstrapConfigTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 920 + # panHWMediaSanityFailureTrap + # + # Install media failed sanity check + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWMediaSanityFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWMediaSanityFailureTrap" + root.out.event.category.name = "panHWMediaSanityFailureTrap" + root.out.event.message = "panHWMediaSanityFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWMediaSanityFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWMediaSanityFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWMediaSanityFailureTrap - UNEXPECTED VARBINDS for panHWMediaSanityFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 921 + # panHWUsbMediaPrepSuccessTrap + # + # USB media prepared successfully using given bundle + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWUsbMediaPrepSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWUsbMediaPrepSuccessTrap" + root.out.event.category.name = "panHWUsbMediaPrepSuccessTrap" + root.out.event.message = "panHWUsbMediaPrepSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWUsbMediaPrepSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWUsbMediaPrepSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWUsbMediaPrepSuccessTrap - UNEXPECTED VARBINDS for panHWUsbMediaPrepSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 922 + # panHWBootstrapSuccessTrap + # + # Bootstrap completed successfully from external device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapSuccessTrap" + root.out.event.category.name = "panHWBootstrapSuccessTrap" + root.out.event.message = "panHWBootstrapSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapSuccessTrap - UNEXPECTED VARBINDS for panHWBootstrapSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 923 + # panHWBootstrapLicenseFailureTrap + # + # License installation failed for bootstrap device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapLicenseFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapLicenseFailureTrap" + root.out.event.category.name = "panHWBootstrapLicenseFailureTrap" + root.out.event.message = "panHWBootstrapLicenseFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapLicenseFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapLicenseFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapLicenseFailureTrap - UNEXPECTED VARBINDS for panHWBootstrapLicenseFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 924 + # panHWBootstrapContentFailureTrap + # + # Content installation failed for bootstrap device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapContentFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapContentFailureTrap" + root.out.event.category.name = "panHWBootstrapContentFailureTrap" + root.out.event.message = "panHWBootstrapContentFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapContentFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapContentFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapContentFailureTrap - UNEXPECTED VARBINDS for panHWBootstrapContentFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 925 + # panHWBootstrapMediaDetectTrap + # + # Bootstrap install media detect status + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaDetectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaDetectTrap" + root.out.event.category.name = "panHWBootstrapMediaDetectTrap" + root.out.event.message = "panHWBootstrapMediaDetectTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaDetectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaDetectTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapMediaDetectTrap - UNEXPECTED VARBINDS for panHWBootstrapMediaDetectTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 926 + # panHWBootstrapMediaSanityTrap + # + # Bootstrap install media sanity check status + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaSanityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaSanityTrap" + root.out.event.category.name = "panHWBootstrapMediaSanityTrap" + root.out.event.message = "panHWBootstrapMediaSanityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaSanityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapMediaSanityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapMediaSanityTrap - UNEXPECTED VARBINDS for panHWBootstrapMediaSanityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 927 + # panHWBootstrapImageUpgradeTrap + # + # Bootstrap software image installation status + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageUpgradeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageUpgradeTrap" + root.out.event.category.name = "panHWBootstrapImageUpgradeTrap" + root.out.event.message = "panHWBootstrapImageUpgradeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageUpgradeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapImageUpgradeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapImageUpgradeTrap - UNEXPECTED VARBINDS for panHWBootstrapImageUpgradeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 928 + # panHWBootstrapOpCmdTrap + # + # Bootstrap operational command status + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapOpCmdTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapOpCmdTrap" + root.out.event.category.name = "panHWBootstrapOpCmdTrap" + root.out.event.message = "panHWBootstrapOpCmdTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapOpCmdTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWBootstrapOpCmdTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWBootstrapOpCmdTrap - UNEXPECTED VARBINDS for panHWBootstrapOpCmdTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 929 + # panHWThermalFailureTrap + # + # I2C Failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWThermalFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWThermalFailureTrap" + root.out.event.category.name = "panHWThermalFailureTrap" + root.out.event.message = "panHWThermalFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWThermalFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWThermalFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWThermalFailureTrap - UNEXPECTED VARBINDS for panHWThermalFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 930 + # panHWContentEngineFailureTrap + # + # CE Memory Failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWContentEngineFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWContentEngineFailureTrap" + root.out.event.category.name = "panHWContentEngineFailureTrap" + root.out.event.message = "panHWContentEngineFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWContentEngineFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWContentEngineFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWContentEngineFailureTrap - UNEXPECTED VARBINDS for panHWContentEngineFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 931 + # panHWFailoverCLITrap + # + # Planned SC Failover + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverCLITrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverCLITrap" + root.out.event.category.name = "panHWFailoverCLITrap" + root.out.event.message = "panHWFailoverCLITrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverCLITrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverCLITrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWFailoverCLITrap - UNEXPECTED VARBINDS for panHWFailoverCLITrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 932 + # panHWFailoverUnexpectedTrap + # + # Unexpected SC Failover + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverUnexpectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverUnexpectedTrap" + root.out.event.category.name = "panHWFailoverUnexpectedTrap" + root.out.event.message = "panHWFailoverUnexpectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverUnexpectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panHWFailoverUnexpectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panHWFailoverUnexpectedTrap - UNEXPECTED VARBINDS for panHWFailoverUnexpectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1000 + # panNTDPRestartTrap + # + # Restarted ntpd + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPRestartTrap" + root.out.event.category.name = "panNTDPRestartTrap" + root.out.event.message = "panNTDPRestartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPRestartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNTDPRestartTrap - UNEXPECTED VARBINDS for panNTDPRestartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1001 + # panNTDPTimeLearnTrap + # + # Restarted ntpd on config change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPTimeLearnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPTimeLearnTrap" + root.out.event.category.name = "panNTDPTimeLearnTrap" + root.out.event.message = "panNTDPTimeLearnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPTimeLearnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPTimeLearnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNTDPTimeLearnTrap - UNEXPECTED VARBINDS for panNTDPTimeLearnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1002 + # panNTDPSyncTrap + # + # sync to server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPSyncTrap" + root.out.event.category.name = "panNTDPSyncTrap" + root.out.event.message = "panNTDPSyncTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPSyncTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNTDPSyncTrap - UNEXPECTED VARBINDS for panNTDPSyncTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1003 + # panNTDPAuthTrap + # + # authentication + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPAuthTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPAuthTrap" + root.out.event.category.name = "panNTDPAuthTrap" + root.out.event.message = "panNTDPAuthTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPAuthTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNTDPAuthTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNTDPAuthTrap - UNEXPECTED VARBINDS for panNTDPAuthTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1100 + # panPBFNhUpTrap + # + # PBF nexthop is reachable + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhUpTrap" + root.out.event.category.name = "panPBFNhUpTrap" + root.out.event.message = "panPBFNhUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPBFNhUpTrap - UNEXPECTED VARBINDS for panPBFNhUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1101 + # panPBFNhDownTrap + # + # PBF nexthop is unreachable + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhDownTrap" + root.out.event.category.name = "panPBFNhDownTrap" + root.out.event.message = "panPBFNhDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFNhDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPBFNhDownTrap - UNEXPECTED VARBINDS for panPBFNhDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1102 + # panPBFPbfFqdnDownTrap + # + # PBF nexthop fqdn mapping is unresolved + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnDownTrap" + root.out.event.category.name = "panPBFPbfFqdnDownTrap" + root.out.event.message = "panPBFPbfFqdnDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPBFPbfFqdnDownTrap - UNEXPECTED VARBINDS for panPBFPbfFqdnDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1103 + # panPBFPbfFqdnChangeTrap + # + # PBF nexthop fqdn mapping is changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnChangeTrap" + root.out.event.category.name = "panPBFPbfFqdnChangeTrap" + root.out.event.message = "panPBFPbfFqdnChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPBFPbfFqdnChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPBFPbfFqdnChangeTrap - UNEXPECTED VARBINDS for panPBFPbfFqdnChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1200 + # panPORTLinkChangeTrap + # + # Interface link state change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTLinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTLinkChangeTrap" + root.out.event.category.name = "panPORTLinkChangeTrap" + root.out.event.message = "panPORTLinkChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTLinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTLinkChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTLinkChangeTrap - UNEXPECTED VARBINDS for panPORTLinkChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1201 + # panPORTNonqualSfpTrap + # + # Non-qualified SFP inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpTrap" + root.out.event.category.name = "panPORTNonqualSfpTrap" + root.out.event.message = "panPORTNonqualSfpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTNonqualSfpTrap - UNEXPECTED VARBINDS for panPORTNonqualSfpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1202 + # panPORTNonqualSfpPlusTrap + # + # Non-qualified SFP-plus inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpPlusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpPlusTrap" + root.out.event.category.name = "panPORTNonqualSfpPlusTrap" + root.out.event.message = "panPORTNonqualSfpPlusTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpPlusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualSfpPlusTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTNonqualSfpPlusTrap - UNEXPECTED VARBINDS for panPORTNonqualSfpPlusTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1203 + # panPORTNonqualXfpTrap + # + # Non-qualified XFP inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualXfpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualXfpTrap" + root.out.event.category.name = "panPORTNonqualXfpTrap" + root.out.event.message = "panPORTNonqualXfpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualXfpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonqualXfpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTNonqualXfpTrap - UNEXPECTED VARBINDS for panPORTNonqualXfpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1204 + # panPORTNonsuppForcedTrap + # + # Non-supported forced mode configured + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonsuppForcedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonsuppForcedTrap" + root.out.event.category.name = "panPORTNonsuppForcedTrap" + root.out.event.message = "panPORTNonsuppForcedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonsuppForcedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTNonsuppForcedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTNonsuppForcedTrap - UNEXPECTED VARBINDS for panPORTNonsuppForcedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1205 + # panPORTInvalidModuleTrap + # + # Invalid pluggable module inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTInvalidModuleTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTInvalidModuleTrap" + root.out.event.category.name = "panPORTInvalidModuleTrap" + root.out.event.message = "panPORTInvalidModuleTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTInvalidModuleTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTInvalidModuleTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTInvalidModuleTrap - UNEXPECTED VARBINDS for panPORTInvalidModuleTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1206 + # panPORTSdwanLinkChangeTrap + # + # SD-WAN Interface link state change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTSdwanLinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTSdwanLinkChangeTrap" + root.out.event.category.name = "panPORTSdwanLinkChangeTrap" + root.out.event.message = "panPORTSdwanLinkChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTSdwanLinkChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPORTSdwanLinkChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPORTSdwanLinkChangeTrap - UNEXPECTED VARBINDS for panPORTSdwanLinkChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1300 + # panPPPOEInitiateTrap + # + # PPPOE initiated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEInitiateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEInitiateTrap" + root.out.event.category.name = "panPPPOEInitiateTrap" + root.out.event.message = "panPPPOEInitiateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEInitiateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEInitiateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEInitiateTrap - UNEXPECTED VARBINDS for panPPPOEInitiateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1301 + # panPPPOEConnectTrap + # + # PPPOE connected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectTrap" + root.out.event.category.name = "panPPPOEConnectTrap" + root.out.event.message = "panPPPOEConnectTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEConnectTrap - UNEXPECTED VARBINDS for panPPPOEConnectTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1302 + # panPPPOEConnectFailTrap + # + # PPPOE failed to connect + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectFailTrap" + root.out.event.category.name = "panPPPOEConnectFailTrap" + root.out.event.message = "panPPPOEConnectFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEConnectFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEConnectFailTrap - UNEXPECTED VARBINDS for panPPPOEConnectFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1303 + # panPPPOETerminateTrap + # + # PPPOE terminated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOETerminateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOETerminateTrap" + root.out.event.category.name = "panPPPOETerminateTrap" + root.out.event.message = "panPPPOETerminateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOETerminateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOETerminateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOETerminateTrap - UNEXPECTED VARBINDS for panPPPOETerminateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1304 + # panPPPOEIfUpdateFailTrap + # + # PPPOE interface update failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEIfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEIfUpdateFailTrap" + root.out.event.category.name = "panPPPOEIfUpdateFailTrap" + root.out.event.message = "panPPPOEIfUpdateFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEIfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEIfUpdateFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEIfUpdateFailTrap - UNEXPECTED VARBINDS for panPPPOEIfUpdateFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1305 + # panPPPOEDontSendEolPadiTrap + # + # PPPOE Don't Send EOL Tag in PADI packet + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadiTrap" + root.out.event.category.name = "panPPPOEDontSendEolPadiTrap" + root.out.event.message = "panPPPOEDontSendEolPadiTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadiTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEDontSendEolPadiTrap - UNEXPECTED VARBINDS for panPPPOEDontSendEolPadiTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1306 + # panPPPOEDontSendEolPadrTrap + # + # PPPOE Don't Send EOL Tag in PADR packet + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadrTrap" + root.out.event.category.name = "panPPPOEDontSendEolPadrTrap" + root.out.event.message = "panPPPOEDontSendEolPadrTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEDontSendEolPadrTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEDontSendEolPadrTrap - UNEXPECTED VARBINDS for panPPPOEDontSendEolPadrTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1307 + # panPPPOEAddressTrap + # + # PPPOE slaac address selection + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEAddressTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEAddressTrap" + root.out.event.category.name = "panPPPOEAddressTrap" + root.out.event.message = "panPPPOEAddressTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEAddressTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEAddressTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEAddressTrap - UNEXPECTED VARBINDS for panPPPOEAddressTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1308 + # panPPPOEV6IfUpdateFailTrap + # + # DHCPV6 update fail + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateFailTrap" + root.out.event.category.name = "panPPPOEV6IfUpdateFailTrap" + root.out.event.message = "panPPPOEV6IfUpdateFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfUpdateFailTrap - UNEXPECTED VARBINDS for panPPPOEV6IfUpdateFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1309 + # panPPPOEV6IfUpdateOkTrap + # + # DHCPV6 update successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateOkTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateOkTrap" + root.out.event.category.name = "panPPPOEV6IfUpdateOkTrap" + root.out.event.message = "panPPPOEV6IfUpdateOkTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateOkTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfUpdateOkTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfUpdateOkTrap - UNEXPECTED VARBINDS for panPPPOEV6IfUpdateOkTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1310 + # panPPPOEV6IfClearTrap + # + # DHCPV6 info cleared + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfClearTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfClearTrap" + root.out.event.category.name = "panPPPOEV6IfClearTrap" + root.out.event.message = "panPPPOEV6IfClearTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfClearTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfClearTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfClearTrap - UNEXPECTED VARBINDS for panPPPOEV6IfClearTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1311 + # panPPPOEV6IfRenewTriggerTrap + # + # DHCPV6 renew triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfRenewTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfRenewTriggerTrap" + root.out.event.category.name = "panPPPOEV6IfRenewTriggerTrap" + root.out.event.message = "panPPPOEV6IfRenewTriggerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfRenewTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfRenewTriggerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfRenewTriggerTrap - UNEXPECTED VARBINDS for panPPPOEV6IfRenewTriggerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1312 + # panPPPOEV6IfReleaseTriggerTrap + # + # DHCPV6 release triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfReleaseTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfReleaseTriggerTrap" + root.out.event.category.name = "panPPPOEV6IfReleaseTriggerTrap" + root.out.event.message = "panPPPOEV6IfReleaseTriggerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfReleaseTriggerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfReleaseTriggerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfReleaseTriggerTrap - UNEXPECTED VARBINDS for panPPPOEV6IfReleaseTriggerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1313 + # panPPPOEV6IfConfirmFailedTrap + # + # DHCPV6 confirm failed,continuing with the existing addresses + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfConfirmFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfConfirmFailedTrap" + root.out.event.category.name = "panPPPOEV6IfConfirmFailedTrap" + root.out.event.message = "panPPPOEV6IfConfirmFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfConfirmFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfConfirmFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfConfirmFailedTrap - UNEXPECTED VARBINDS for panPPPOEV6IfConfirmFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1314 + # panPPPOEV6IfDuplicateIpIntfTrap + # + # DHCPV6 received IP address already assigned to another interface + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpIntfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpIntfTrap" + root.out.event.category.name = "panPPPOEV6IfDuplicateIpIntfTrap" + root.out.event.message = "panPPPOEV6IfDuplicateIpIntfTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpIntfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpIntfTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfDuplicateIpIntfTrap - UNEXPECTED VARBINDS for panPPPOEV6IfDuplicateIpIntfTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1315 + # panPPPOEV6IfDuplicateIpRemoteTrap + # + # DHCPV6 received IP address already used by another host on the network + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpRemoteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpRemoteTrap" + root.out.event.category.name = "panPPPOEV6IfDuplicateIpRemoteTrap" + root.out.event.message = "panPPPOEV6IfDuplicateIpRemoteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpRemoteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateIpRemoteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfDuplicateIpRemoteTrap - UNEXPECTED VARBINDS for panPPPOEV6IfDuplicateIpRemoteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1316 + # panPPPOEV6IfIanaNotReceivedTrap + # + # DHCPV6 unable to obtain Non-temporary address from the Server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIanaNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIanaNotReceivedTrap" + root.out.event.category.name = "panPPPOEV6IfIanaNotReceivedTrap" + root.out.event.message = "panPPPOEV6IfIanaNotReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIanaNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIanaNotReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfIanaNotReceivedTrap - UNEXPECTED VARBINDS for panPPPOEV6IfIanaNotReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1317 + # panPPPOEV6IfIataNotReceivedTrap + # + # DHCPV6 unable to obtain Temporary address from the Server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIataNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIataNotReceivedTrap" + root.out.event.category.name = "panPPPOEV6IfIataNotReceivedTrap" + root.out.event.message = "panPPPOEV6IfIataNotReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIataNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIataNotReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfIataNotReceivedTrap - UNEXPECTED VARBINDS for panPPPOEV6IfIataNotReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1318 + # panPPPOEV6IfIapdNotReceivedTrap + # + # DHCPV6 unable to obtain Prefix Delegation address from the Server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIapdNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIapdNotReceivedTrap" + root.out.event.category.name = "panPPPOEV6IfIapdNotReceivedTrap" + root.out.event.message = "panPPPOEV6IfIapdNotReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIapdNotReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfIapdNotReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfIapdNotReceivedTrap - UNEXPECTED VARBINDS for panPPPOEV6IfIapdNotReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1319 + # panPPPOEV6IfDhcpv6LeaseStartTrap + # + # DHCPV6 lease of addresses started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseStartTrap" + root.out.event.category.name = "panPPPOEV6IfDhcpv6LeaseStartTrap" + root.out.event.message = "panPPPOEV6IfDhcpv6LeaseStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfDhcpv6LeaseStartTrap - UNEXPECTED VARBINDS for panPPPOEV6IfDhcpv6LeaseStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1320 + # panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap + # + # DHCPV6 Preferred lifetime of addresses expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.category.name = "panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.message = "panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap - UNEXPECTED VARBINDS for panPPPOEV6IfDhcpv6PreferredLifetimeOverTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1321 + # panPPPOEV6IfDhcpv6LeaseEndTrap + # + # DHCPV6 Lease of addresses + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseEndTrap" + root.out.event.category.name = "panPPPOEV6IfDhcpv6LeaseEndTrap" + root.out.event.message = "panPPPOEV6IfDhcpv6LeaseEndTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDhcpv6LeaseEndTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfDhcpv6LeaseEndTrap - UNEXPECTED VARBINDS for panPPPOEV6IfDhcpv6LeaseEndTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1322 + # panPPPOEV6IfDuplicateAddressReceivedTrap + # + # DHCPV6 IPv6 address ip_address on interface if_name failed due to duplicate IP check + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateAddressReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateAddressReceivedTrap" + root.out.event.category.name = "panPPPOEV6IfDuplicateAddressReceivedTrap" + root.out.event.message = "panPPPOEV6IfDuplicateAddressReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateAddressReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfDuplicateAddressReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfDuplicateAddressReceivedTrap - UNEXPECTED VARBINDS for panPPPOEV6IfDuplicateAddressReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1323 + # panPPPOEV6IfPdIdentifierValueTrap + # + # DHCPV6 Prefix cannot be assigned to the Inherited Interface if_name,since the value of the Pool identifier is larger the prefix range received. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdIdentifierValueTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdIdentifierValueTrap" + root.out.event.category.name = "panPPPOEV6IfPdIdentifierValueTrap" + root.out.event.message = "panPPPOEV6IfPdIdentifierValueTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdIdentifierValueTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdIdentifierValueTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfPdIdentifierValueTrap - UNEXPECTED VARBINDS for panPPPOEV6IfPdIdentifierValueTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1324 + # panPPPOEV6IfPdExhaustTrap + # + # DHCPV6 Prefix cannot be assigned to the Inherited Interface,since the prefix pool exhausted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdExhaustTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdExhaustTrap" + root.out.event.category.name = "panPPPOEV6IfPdExhaustTrap" + root.out.event.message = "panPPPOEV6IfPdExhaustTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdExhaustTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPPPOEV6IfPdExhaustTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPPPOEV6IfPdExhaustTrap - UNEXPECTED VARBINDS for panPPPOEV6IfPdExhaustTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1400 + # panRASRasmgrConfigP1SuccessTrap + # + # RASMGR daemon configuration load phase-1 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1SuccessTrap" + root.out.event.category.name = "panRASRasmgrConfigP1SuccessTrap" + root.out.event.message = "panRASRasmgrConfigP1SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrConfigP1SuccessTrap - UNEXPECTED VARBINDS for panRASRasmgrConfigP1SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1401 + # panRASRasmgrConfigP1FailedTrap + # + # RASMGR daemon configuration load phase-1 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1FailedTrap" + root.out.event.category.name = "panRASRasmgrConfigP1FailedTrap" + root.out.event.message = "panRASRasmgrConfigP1FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrConfigP1FailedTrap - UNEXPECTED VARBINDS for panRASRasmgrConfigP1FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1402 + # panRASRasmgrConfigP1AbortTrap + # + # RASMGR daemon configuration load phase-1 aborted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1AbortTrap" + root.out.event.category.name = "panRASRasmgrConfigP1AbortTrap" + root.out.event.message = "panRASRasmgrConfigP1AbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP1AbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrConfigP1AbortTrap - UNEXPECTED VARBINDS for panRASRasmgrConfigP1AbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1403 + # panRASRasmgrConfigP2SuccessTrap + # + # RASMGR daemon configuration load phase-2 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2SuccessTrap" + root.out.event.category.name = "panRASRasmgrConfigP2SuccessTrap" + root.out.event.message = "panRASRasmgrConfigP2SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrConfigP2SuccessTrap - UNEXPECTED VARBINDS for panRASRasmgrConfigP2SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1404 + # panRASRasmgrConfigP2FailedTrap + # + # RASMGR daemon configuration load phase-2 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2FailedTrap" + root.out.event.category.name = "panRASRasmgrConfigP2FailedTrap" + root.out.event.message = "panRASRasmgrConfigP2FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrConfigP2FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrConfigP2FailedTrap - UNEXPECTED VARBINDS for panRASRasmgrConfigP2FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1405 + # panRASRasmgrDaemonStartTrap + # + # RASMGR daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonStartTrap" + root.out.event.category.name = "panRASRasmgrDaemonStartTrap" + root.out.event.message = "panRASRasmgrDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrDaemonStartTrap - UNEXPECTED VARBINDS for panRASRasmgrDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1406 + # panRASRasmgrDaemonExitTrap + # + # RASMGR daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonExitTrap" + root.out.event.category.name = "panRASRasmgrDaemonExitTrap" + root.out.event.message = "panRASRasmgrDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrDaemonExitTrap - UNEXPECTED VARBINDS for panRASRasmgrDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1407 + # panRASRasmgrDaemonInitTrap + # + # RASMGR daemon is initializing. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonInitTrap" + root.out.event.category.name = "panRASRasmgrDaemonInitTrap" + root.out.event.message = "panRASRasmgrDaemonInitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrDaemonInitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrDaemonInitTrap - UNEXPECTED VARBINDS for panRASRasmgrDaemonInitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1408 + # panRASRasmgrFlowFullSyncStartTrap + # + # RASMGR daemon sync all user info to Flow started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncStartTrap" + root.out.event.category.name = "panRASRasmgrFlowFullSyncStartTrap" + root.out.event.message = "panRASRasmgrFlowFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrFlowFullSyncStartTrap - UNEXPECTED VARBINDS for panRASRasmgrFlowFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1409 + # panRASRasmgrFlowFullSyncAbortTrap + # + # RASMGR daemon sync all user info to Flow no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncAbortTrap" + root.out.event.category.name = "panRASRasmgrFlowFullSyncAbortTrap" + root.out.event.message = "panRASRasmgrFlowFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrFlowFullSyncAbortTrap - UNEXPECTED VARBINDS for panRASRasmgrFlowFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1410 + # panRASRasmgrFlowFullSyncDoneTrap + # + # RASMGR daemon sync all user info to Flow exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncDoneTrap" + root.out.event.category.name = "panRASRasmgrFlowFullSyncDoneTrap" + root.out.event.message = "panRASRasmgrFlowFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrFlowFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrFlowFullSyncDoneTrap - UNEXPECTED VARBINDS for panRASRasmgrFlowFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1411 + # panRASRasmgrHaFullSyncStartTrap + # + # RASMGR daemon sync all user info to HA peer started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncStartTrap" + root.out.event.category.name = "panRASRasmgrHaFullSyncStartTrap" + root.out.event.message = "panRASRasmgrHaFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrHaFullSyncStartTrap - UNEXPECTED VARBINDS for panRASRasmgrHaFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1412 + # panRASRasmgrHaFullSyncAbortTrap + # + # RASMGR daemon sync all user info to HA peer no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncAbortTrap" + root.out.event.category.name = "panRASRasmgrHaFullSyncAbortTrap" + root.out.event.message = "panRASRasmgrHaFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrHaFullSyncAbortTrap - UNEXPECTED VARBINDS for panRASRasmgrHaFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1413 + # panRASRasmgrHaFullSyncDoneTrap + # + # RASMGR daemon sync all user info to HA peer exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncDoneTrap" + root.out.event.category.name = "panRASRasmgrHaFullSyncDoneTrap" + root.out.event.message = "panRASRasmgrHaFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRASRasmgrHaFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRASRasmgrHaFullSyncDoneTrap - UNEXPECTED VARBINDS for panRASRasmgrHaFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1500 + # panROUTINGRoutedConfigP1SuccessTrap + # + # Route daemon configuration load phase-1 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1SuccessTrap" + root.out.event.category.name = "panROUTINGRoutedConfigP1SuccessTrap" + root.out.event.message = "panROUTINGRoutedConfigP1SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedConfigP1SuccessTrap - UNEXPECTED VARBINDS for panROUTINGRoutedConfigP1SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1501 + # panROUTINGRoutedConfigP1FailedTrap + # + # Route daemon configuration load phase-1 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1FailedTrap" + root.out.event.category.name = "panROUTINGRoutedConfigP1FailedTrap" + root.out.event.message = "panROUTINGRoutedConfigP1FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedConfigP1FailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedConfigP1FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1502 + # panROUTINGRoutedConfigP1AbortTrap + # + # Route daemon configuration load phase-1 aborted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1AbortTrap" + root.out.event.category.name = "panROUTINGRoutedConfigP1AbortTrap" + root.out.event.message = "panROUTINGRoutedConfigP1AbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP1AbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedConfigP1AbortTrap - UNEXPECTED VARBINDS for panROUTINGRoutedConfigP1AbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1503 + # panROUTINGRoutedConfigP2SuccessTrap + # + # Route daemon configuration load phase-2 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2SuccessTrap" + root.out.event.category.name = "panROUTINGRoutedConfigP2SuccessTrap" + root.out.event.message = "panROUTINGRoutedConfigP2SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedConfigP2SuccessTrap - UNEXPECTED VARBINDS for panROUTINGRoutedConfigP2SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1504 + # panROUTINGRoutedConfigP2FailedTrap + # + # Route daemon configuration load phase-2 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2FailedTrap" + root.out.event.category.name = "panROUTINGRoutedConfigP2FailedTrap" + root.out.event.message = "panROUTINGRoutedConfigP2FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedConfigP2FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedConfigP2FailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedConfigP2FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1505 + # panROUTINGRoutedDaemonStartTrap + # + # Route daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonStartTrap" + root.out.event.category.name = "panROUTINGRoutedDaemonStartTrap" + root.out.event.message = "panROUTINGRoutedDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedDaemonStartTrap - UNEXPECTED VARBINDS for panROUTINGRoutedDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1506 + # panROUTINGRoutedDaemonExitTrap + # + # Route daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonExitTrap" + root.out.event.category.name = "panROUTINGRoutedDaemonExitTrap" + root.out.event.message = "panROUTINGRoutedDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedDaemonExitTrap - UNEXPECTED VARBINDS for panROUTINGRoutedDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1507 + # panROUTINGRoutedDaemonInitTrap + # + # Route daemon is initializing. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonInitTrap" + root.out.event.category.name = "panROUTINGRoutedDaemonInitTrap" + root.out.event.message = "panROUTINGRoutedDaemonInitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedDaemonInitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedDaemonInitTrap - UNEXPECTED VARBINDS for panROUTINGRoutedDaemonInitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1508 + # panROUTINGRoutedFibSyncPeerBackupTrap + # + # FIB HA sync started when peer device becomes passive. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncPeerBackupTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncPeerBackupTrap" + root.out.event.category.name = "panROUTINGRoutedFibSyncPeerBackupTrap" + root.out.event.message = "panROUTINGRoutedFibSyncPeerBackupTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncPeerBackupTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncPeerBackupTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedFibSyncPeerBackupTrap - UNEXPECTED VARBINDS for panROUTINGRoutedFibSyncPeerBackupTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1509 + # panROUTINGRoutedFibSyncSelfMasterTrap + # + # FIB HA sync started when local device becomes master. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncSelfMasterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncSelfMasterTrap" + root.out.event.category.name = "panROUTINGRoutedFibSyncSelfMasterTrap" + root.out.event.message = "panROUTINGRoutedFibSyncSelfMasterTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncSelfMasterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedFibSyncSelfMasterTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedFibSyncSelfMasterTrap - UNEXPECTED VARBINDS for panROUTINGRoutedFibSyncSelfMasterTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1510 + # panROUTINGRoutedRTMBadRouteTrap + # + # An invalid dynamic route has been rejected: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRTMBadRouteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRTMBadRouteTrap" + root.out.event.category.name = "panROUTINGRoutedRTMBadRouteTrap" + root.out.event.message = "panROUTINGRoutedRTMBadRouteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRTMBadRouteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRTMBadRouteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRTMBadRouteTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRTMBadRouteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1511 + # panROUTINGRoutedOSPFLSAChksumFailedTrap + # + # OSPF LSA checksum generating failed due to memory corruption. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFLSAChksumFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1512 + # panROUTINGRoutedOSPFLSAChksumInvalidTrap + # + # OSPF received LSA with invalid checksum. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumInvalidTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumInvalidTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFLSAChksumInvalidTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1513 + # panROUTINGRoutedOSPFAuthtypeBadTrap + # + # OSPF packet dropped due to unexpected authentication type. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFAuthtypeBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFAuthtypeBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFAuthtypeBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1514 + # panROUTINGRoutedOSPFPasswordBadTrap + # + # OSPF packet dropped due to incorrect simple password. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFPasswordBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFPasswordBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFPasswordBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1515 + # panROUTINGRoutedOSPFChksumBadTrap + # + # OSPF packet dropped due to incorrect OSPF checksum. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFChksumBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFChksumBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFChksumBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1516 + # panROUTINGRoutedOSPFSequenceBadTrap + # + # OSPF packet dropped due to incorrect sequence number. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFSequenceBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFSequenceBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFSequenceBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1517 + # panROUTINGRoutedOSPFMd5chksumBadTrap + # + # OSPF packet dropped due to incorrect MD5 checksum. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFMd5chksumBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFMd5chksumBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFMd5chksumBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1518 + # panROUTINGRoutedOSPFMd5lengthBadTrap + # + # OSPF packet dropped due to incorrect MD5 digest length. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFMd5lengthBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFMd5lengthBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFMd5lengthBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1519 + # panROUTINGRoutedOSPFHelloHelloIntvalBadTrap + # + # OSPF hello packet dropped due to hello-interval mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloHelloIntvalBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloHelloIntvalBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloHelloIntvalBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1520 + # panROUTINGRoutedOSPFHelloDeadIntvalBadTrap + # + # OSPF hello packet dropped due to dead-interval mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloDeadIntvalBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloDeadIntvalBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloDeadIntvalBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1521 + # panROUTINGRoutedOSPFHelloNetmaskBadTrap + # + # OSPF hello packet dropped due to network masks mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloNetmaskBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloNetmaskBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloNetmaskBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1522 + # panROUTINGRoutedOSPFHelloAreaTypeBadTrap + # + # OSPF hello packet dropped due to area type mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloAreaTypeBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloAreaTypeBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloAreaTypeBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1523 + # panROUTINGRoutedOSPFNeighbor2dirTrap + # + # OSPF two-way communication established with neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.message = "panROUTINGRoutedOSPFNeighbor2dirTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNeighbor2dirTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNeighbor2dirTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1524 + # panROUTINGRoutedOSPFNeighborFullTrap + # + # OSPF full adjacency established with neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.message = "panROUTINGRoutedOSPFNeighborFullTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNeighborFullTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNeighborFullTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1525 + # panROUTINGRoutedOSPFNeighborDownTrap + # + # OSPF adjacency with neighbor has gone down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.message = "panROUTINGRoutedOSPFNeighborDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNeighborDownTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNeighborDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1526 + # panROUTINGRoutedRIPPeerAddTrap + # + # RIP peer discovered. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap" + root.out.event.category.name = "panROUTINGRoutedRIPPeerAddTrap" + root.out.event.message = "panROUTINGRoutedRIPPeerAddTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPPeerAddTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPPeerAddTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1527 + # panROUTINGRoutedRIPPeerDelTrap + # + # RIP peer disappeared. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap" + root.out.event.category.name = "panROUTINGRoutedRIPPeerDelTrap" + root.out.event.message = "panROUTINGRoutedRIPPeerDelTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPPeerDelTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPPeerDelTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1528 + # panROUTINGRoutedRIPAuthtypeBadTrap + # + # RIP packet dropped due to unexpected authentication type. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.category.name = "panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.message = "panROUTINGRoutedRIPAuthtypeBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPAuthtypeBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPAuthtypeBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1529 + # panROUTINGRoutedRIPAuthFailedTrap + # + # RIP packet dropped due to authentication failure. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.category.name = "panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.message = "panROUTINGRoutedRIPAuthFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPAuthFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPAuthFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1530 + # panROUTINGRoutedRIPMd5lengthBadTrap + # + # RIP packet dropped due to incorrect MD5 digest length. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.category.name = "panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.message = "panROUTINGRoutedRIPMd5lengthBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPMd5lengthBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPMd5lengthBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1531 + # panROUTINGRoutedBGPPeerEnterEstablishedTrap + # + # BGP peer session enters established state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerEnterEstablishedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerEnterEstablishedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerEnterEstablishedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1532 + # panROUTINGRoutedBGPPeerLeftEstablishedTrap + # + # BGP peer session left established state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerLeftEstablishedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerLeftEstablishedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerLeftEstablishedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1533 + # panROUTINGRoutedBGPPeerFailedTrap + # + # BGP peer session has failed and may restart. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1534 + # panROUTINGRoutedBGPPeerRestartedTrap + # + # Initiated graceful-restart with a BGP peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerRestartedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1535 + # panROUTINGRoutedBGPPeerRestartFailedTrap + # + # Graceful-restart with a BGP peer failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerRestartFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1536 + # panROUTINGRoutedBGPRefreshSentTrap + # + # ROUTE REFRESH message sent to a BGP peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.category.name = "panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.message = "panROUTINGRoutedBGPRefreshSentTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPRefreshSentTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPRefreshSentTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1537 + # panROUTINGRoutedBGPRibinRecalcTrap + # + # An RIB-In is being recalculated as a result of changed import policy. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.category.name = "panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.message = "panROUTINGRoutedBGPRibinRecalcTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPRibinRecalcTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPRibinRecalcTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1538 + # panROUTINGRoutedPIMInterfaceStateChangedTrap + # + # PIM interface state changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMInterfaceStateChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMInterfaceStateChangedTrap" + root.out.event.category.name = "panROUTINGRoutedPIMInterfaceStateChangedTrap" + root.out.event.message = "panROUTINGRoutedPIMInterfaceStateChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMInterfaceStateChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMInterfaceStateChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedPIMInterfaceStateChangedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedPIMInterfaceStateChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1539 + # panROUTINGRoutedPIMNewDrElectedTrap + # + # PIM elected a new DR + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNewDrElectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNewDrElectedTrap" + root.out.event.category.name = "panROUTINGRoutedPIMNewDrElectedTrap" + root.out.event.message = "panROUTINGRoutedPIMNewDrElectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNewDrElectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNewDrElectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedPIMNewDrElectedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedPIMNewDrElectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1540 + # panROUTINGRoutedPIMNeighborDiscoveredTrap + # + # PIM discovered a new neighbor + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDiscoveredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDiscoveredTrap" + root.out.event.category.name = "panROUTINGRoutedPIMNeighborDiscoveredTrap" + root.out.event.message = "panROUTINGRoutedPIMNeighborDiscoveredTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDiscoveredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDiscoveredTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedPIMNeighborDiscoveredTrap - UNEXPECTED VARBINDS for panROUTINGRoutedPIMNeighborDiscoveredTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1541 + # panROUTINGRoutedPIMNeighborDisappearedTrap + # + # PIM neighbor disappeared + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDisappearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDisappearedTrap" + root.out.event.category.name = "panROUTINGRoutedPIMNeighborDisappearedTrap" + root.out.event.message = "panROUTINGRoutedPIMNeighborDisappearedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDisappearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedPIMNeighborDisappearedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedPIMNeighborDisappearedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedPIMNeighborDisappearedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1542 + # panROUTINGRoutedIGMPWrongVersionTrap + # + # Wrong IGMP query version + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedIGMPWrongVersionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedIGMPWrongVersionTrap" + root.out.event.category.name = "panROUTINGRoutedIGMPWrongVersionTrap" + root.out.event.message = "panROUTINGRoutedIGMPWrongVersionTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedIGMPWrongVersionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedIGMPWrongVersionTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedIGMPWrongVersionTrap - UNEXPECTED VARBINDS for panROUTINGRoutedIGMPWrongVersionTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1543 + # panROUTINGRoutedGenericEventTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedGenericEventTrap" + root.out.event.category.name = "panROUTINGRoutedGenericEventTrap" + root.out.event.message = "panROUTINGRoutedGenericEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedGenericEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedGenericEventTrap - UNEXPECTED VARBINDS for panROUTINGRoutedGenericEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1544 + # panROUTINGRoutedOSPFStartGracefulRestartTrap + # + # OSPF started graceful restart. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.message = "panROUTINGRoutedOSPFStartGracefulRestartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStartGracefulRestartTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStartGracefulRestartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1545 + # panROUTINGRoutedOSPFStoppedGracefulRestartTrap + # + # OSPF stopped graceful restart. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.message = "panROUTINGRoutedOSPFStoppedGracefulRestartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStoppedGracefulRestartTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStoppedGracefulRestartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1546 + # panROUTINGRoutedOSPFStartHelperNodeTrap + # + # OSPF started helper mode for a restarting neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.message = "panROUTINGRoutedOSPFStartHelperNodeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStartHelperNodeTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStartHelperNodeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1547 + # panROUTINGRoutedOSPFStopHelperModeTrap + # + # OSPF stopped helper mode for a restarting neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.message = "panROUTINGRoutedOSPFStopHelperModeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStopHelperModeTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStopHelperModeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1548 + # panROUTINGRoutedOSPFNotHelpTrap + # + # OSPF did not help a restarting neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.message = "panROUTINGRoutedOSPFNotHelpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNotHelpTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNotHelpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1549 + # panROUTINGRoutedECMPTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedECMPTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedECMPTrap" + root.out.event.category.name = "panROUTINGRoutedECMPTrap" + root.out.event.message = "panROUTINGRoutedECMPTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedECMPTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedECMPTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedECMPTrap - UNEXPECTED VARBINDS for panROUTINGRoutedECMPTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1550 + # panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap + # + # BGP peer MP extension negotiation. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1551 + # panROUTINGPathMonitorFailureTrap + # + # Path monitoring failed for static route, route removed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorFailureTrap" + root.out.event.category.name = "panROUTINGPathMonitorFailureTrap" + root.out.event.message = "panROUTINGPathMonitorFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGPathMonitorFailureTrap - UNEXPECTED VARBINDS for panROUTINGPathMonitorFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1552 + # panROUTINGPathMonitorRecoveryTrap + # + # Path monitoring recovered for static route, route restored. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorRecoveryTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorRecoveryTrap" + root.out.event.category.name = "panROUTINGPathMonitorRecoveryTrap" + root.out.event.message = "panROUTINGPathMonitorRecoveryTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorRecoveryTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGPathMonitorRecoveryTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGPathMonitorRecoveryTrap - UNEXPECTED VARBINDS for panROUTINGPathMonitorRecoveryTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1553 + # panROUTINGRouteTableCapacityTrap + # + # Route table capacity reached. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRouteTableCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRouteTableCapacityTrap" + root.out.event.category.name = "panROUTINGRouteTableCapacityTrap" + root.out.event.message = "panROUTINGRouteTableCapacityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRouteTableCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRouteTableCapacityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRouteTableCapacityTrap - UNEXPECTED VARBINDS for panROUTINGRouteTableCapacityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1554 + # panROUTINGBGPRibInCapacityTrap + # + # BGP peer prefix capacity reached. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRibInCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRibInCapacityTrap" + root.out.event.category.name = "panROUTINGBGPRibInCapacityTrap" + root.out.event.message = "panROUTINGBGPRibInCapacityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRibInCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRibInCapacityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGBGPRibInCapacityTrap - UNEXPECTED VARBINDS for panROUTINGBGPRibInCapacityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1555 + # panROUTINGRoutedBgpFqdnChangedTrap + # + # Routed BGP fqdn mapping is changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnChangedTrap" + root.out.event.category.name = "panROUTINGRoutedBgpFqdnChangedTrap" + root.out.event.message = "panROUTINGRoutedBgpFqdnChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBgpFqdnChangedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBgpFqdnChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1556 + # panROUTINGRoutedStaticFqdnChangedTrap + # + # Routed static fqdn mapping is changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnChangedTrap" + root.out.event.category.name = "panROUTINGRoutedStaticFqdnChangedTrap" + root.out.event.message = "panROUTINGRoutedStaticFqdnChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedStaticFqdnChangedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedStaticFqdnChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1557 + # panROUTINGRoutedBgpFqdnDownTrap + # + # Routed BGP fqdn mapping is unresolved + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnDownTrap" + root.out.event.category.name = "panROUTINGRoutedBgpFqdnDownTrap" + root.out.event.message = "panROUTINGRoutedBgpFqdnDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBgpFqdnDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBgpFqdnDownTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBgpFqdnDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1558 + # panROUTINGRoutedStaticFqdnDownTrap + # + # Routed static fqdn mapping is unresolved + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnDownTrap" + root.out.event.category.name = "panROUTINGRoutedStaticFqdnDownTrap" + root.out.event.message = "panROUTINGRoutedStaticFqdnDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedStaticFqdnDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedStaticFqdnDownTrap - UNEXPECTED VARBINDS for panROUTINGRoutedStaticFqdnDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1559 + # panROUTINGRoutedZEBRALogTrap + # + # ZEBRA LOG : + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedZEBRALogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedZEBRALogTrap" + root.out.event.category.name = "panROUTINGRoutedZEBRALogTrap" + root.out.event.message = "panROUTINGRoutedZEBRALogTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedZEBRALogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedZEBRALogTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedZEBRALogTrap - UNEXPECTED VARBINDS for panROUTINGRoutedZEBRALogTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1560 + # panROUTINGRoutedSTATICLogTrap + # + # STATIC LOG : + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedSTATICLogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedSTATICLogTrap" + root.out.event.category.name = "panROUTINGRoutedSTATICLogTrap" + root.out.event.message = "panROUTINGRoutedSTATICLogTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedSTATICLogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedSTATICLogTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedSTATICLogTrap - UNEXPECTED VARBINDS for panROUTINGRoutedSTATICLogTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1561 + # panROUTINGRoutedOSPFLSAChksumFailedTrap + # + # OSPF LSA checksum generating failed due to memory corruption. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFLSAChksumFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1562 + # panROUTINGRoutedOSPFLSAChksumInvalidTrap + # + # OSPF received LSA with invalid checksum. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumInvalidTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFLSAChksumInvalidTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFLSAChksumInvalidTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFLSAChksumInvalidTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1563 + # panROUTINGRoutedOSPFAuthtypeBadTrap + # + # OSPF packet dropped due to unexpected authentication type. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFAuthtypeBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFAuthtypeBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFAuthtypeBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFAuthtypeBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1564 + # panROUTINGRoutedOSPFPasswordBadTrap + # + # OSPF packet dropped due to incorrect simple password. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFPasswordBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFPasswordBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFPasswordBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFPasswordBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1565 + # panROUTINGRoutedOSPFChksumBadTrap + # + # OSPF packet dropped due to incorrect OSPF checksum. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFChksumBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFChksumBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFChksumBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFChksumBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1566 + # panROUTINGRoutedOSPFSequenceBadTrap + # + # OSPF packet dropped due to incorrect sequence number. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFSequenceBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFSequenceBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFSequenceBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFSequenceBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1567 + # panROUTINGRoutedOSPFMd5chksumBadTrap + # + # OSPF packet dropped due to incorrect MD5 checksum. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFMd5chksumBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5chksumBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFMd5chksumBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFMd5chksumBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1568 + # panROUTINGRoutedOSPFMd5lengthBadTrap + # + # OSPF packet dropped due to incorrect MD5 digest length. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFMd5lengthBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFMd5lengthBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFMd5lengthBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFMd5lengthBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1569 + # panROUTINGRoutedOSPFHelloHelloIntvalBadTrap + # + # OSPF hello packet dropped due to hello-interval mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloHelloIntvalBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloHelloIntvalBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloHelloIntvalBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloHelloIntvalBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1570 + # panROUTINGRoutedOSPFHelloDeadIntvalBadTrap + # + # OSPF hello packet dropped due to dead-interval mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloDeadIntvalBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloDeadIntvalBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloDeadIntvalBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloDeadIntvalBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1571 + # panROUTINGRoutedOSPFHelloNetmaskBadTrap + # + # OSPF hello packet dropped due to network masks mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloNetmaskBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloNetmaskBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloNetmaskBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloNetmaskBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1572 + # panROUTINGRoutedOSPFHelloAreaTypeBadTrap + # + # OSPF hello packet dropped due to area type mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.message = "panROUTINGRoutedOSPFHelloAreaTypeBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFHelloAreaTypeBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFHelloAreaTypeBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFHelloAreaTypeBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1573 + # panROUTINGRoutedOSPFNeighbor2dirTrap + # + # OSPF two-way communication established with neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.message = "panROUTINGRoutedOSPFNeighbor2dirTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighbor2dirTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNeighbor2dirTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNeighbor2dirTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1574 + # panROUTINGRoutedOSPFNeighborFullTrap + # + # OSPF full adjacency established with neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.message = "panROUTINGRoutedOSPFNeighborFullTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborFullTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNeighborFullTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNeighborFullTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1575 + # panROUTINGRoutedOSPFNeighborDownTrap + # + # OSPF adjacency with neighbor has gone down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.message = "panROUTINGRoutedOSPFNeighborDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNeighborDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNeighborDownTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNeighborDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1576 + # panROUTINGRoutedOSPFStartGracefulRestartTrap + # + # OSPF started graceful restart. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.message = "panROUTINGRoutedOSPFStartGracefulRestartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartGracefulRestartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStartGracefulRestartTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStartGracefulRestartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1577 + # panROUTINGRoutedOSPFStoppedGracefulRestartTrap + # + # OSPF stopped graceful restart. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.message = "panROUTINGRoutedOSPFStoppedGracefulRestartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStoppedGracefulRestartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStoppedGracefulRestartTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStoppedGracefulRestartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1578 + # panROUTINGRoutedOSPFStartHelperNodeTrap + # + # OSPF started helper mode for a restarting neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.message = "panROUTINGRoutedOSPFStartHelperNodeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStartHelperNodeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStartHelperNodeTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStartHelperNodeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1579 + # panROUTINGRoutedOSPFStopHelperModeTrap + # + # OSPF stopped helper mode for a restarting neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.message = "panROUTINGRoutedOSPFStopHelperModeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFStopHelperModeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFStopHelperModeTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFStopHelperModeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1580 + # panROUTINGRoutedOSPFNotHelpTrap + # + # OSPF did not help a restarting neighbor. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.category.name = "panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.message = "panROUTINGRoutedOSPFNotHelpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedOSPFNotHelpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedOSPFNotHelpTrap - UNEXPECTED VARBINDS for panROUTINGRoutedOSPFNotHelpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1581 + # panROUTINGRoutedRIPPeerAddTrap + # + # RIP peer discovered. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap" + root.out.event.category.name = "panROUTINGRoutedRIPPeerAddTrap" + root.out.event.message = "panROUTINGRoutedRIPPeerAddTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerAddTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPPeerAddTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPPeerAddTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1582 + # panROUTINGRoutedRIPPeerDelTrap + # + # RIP peer disappeared. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap" + root.out.event.category.name = "panROUTINGRoutedRIPPeerDelTrap" + root.out.event.message = "panROUTINGRoutedRIPPeerDelTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPPeerDelTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPPeerDelTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPPeerDelTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1583 + # panROUTINGRoutedRIPAuthtypeBadTrap + # + # RIP packet dropped due to unexpected authentication type. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.category.name = "panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.message = "panROUTINGRoutedRIPAuthtypeBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthtypeBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPAuthtypeBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPAuthtypeBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1584 + # panROUTINGRoutedRIPAuthFailedTrap + # + # RIP packet dropped due to authentication failure. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.category.name = "panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.message = "panROUTINGRoutedRIPAuthFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPAuthFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPAuthFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPAuthFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1585 + # panROUTINGRoutedRIPMd5lengthBadTrap + # + # RIP packet dropped due to incorrect MD5 digest length. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.category.name = "panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.message = "panROUTINGRoutedRIPMd5lengthBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedRIPMd5lengthBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedRIPMd5lengthBadTrap - UNEXPECTED VARBINDS for panROUTINGRoutedRIPMd5lengthBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1586 + # panROUTINGBGPRTMCapacityTrap + # + # New BGP route exceeded RTM capacity. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRTMCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRTMCapacityTrap" + root.out.event.category.name = "panROUTINGBGPRTMCapacityTrap" + root.out.event.message = "panROUTINGBGPRTMCapacityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRTMCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGBGPRTMCapacityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGBGPRTMCapacityTrap - UNEXPECTED VARBINDS for panROUTINGBGPRTMCapacityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1587 + # panROUTINGRoutedBGPPeerEnterEstablishedTrap + # + # BGP peer session enters established state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerEnterEstablishedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerEnterEstablishedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerEnterEstablishedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerEnterEstablishedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1588 + # panROUTINGRoutedBGPPeerLeftEstablishedTrap + # + # BGP peer session left established state. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerLeftEstablishedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerLeftEstablishedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerLeftEstablishedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerLeftEstablishedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1589 + # panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap + # + # BGP peer MP extension negotiation. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerMpExtensionNegotiateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1590 + # panROUTINGRoutedBGPPeerFailedTrap + # + # BGP peer session has failed and may restart. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1591 + # panROUTINGRoutedBGPPeerRestartedTrap + # + # Initiated graceful-restart with a BGP peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerRestartedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1592 + # panROUTINGRoutedBGPPeerRestartFailedTrap + # + # Graceful-restart with a BGP peer failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerRestartFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerRestartFailedTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerRestartFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1593 + # panROUTINGRoutedBGPPeerPrefixExceededTrap + # + # BGP peer advertised more than maximum allowed prefixes. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerPrefixExceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerPrefixExceededTrap" + root.out.event.category.name = "panROUTINGRoutedBGPPeerPrefixExceededTrap" + root.out.event.message = "panROUTINGRoutedBGPPeerPrefixExceededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerPrefixExceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPPeerPrefixExceededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPPeerPrefixExceededTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPPeerPrefixExceededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1594 + # panROUTINGRoutedBGPRefreshSentTrap + # + # ROUTE REFRESH message sent to a BGP peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.category.name = "panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.message = "panROUTINGRoutedBGPRefreshSentTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRefreshSentTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPRefreshSentTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPRefreshSentTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1595 + # panROUTINGRoutedBGPRibinRecalcTrap + # + # An RIB-In is being recalculated as a result of changed import policy. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.category.name = "panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.message = "panROUTINGRoutedBGPRibinRecalcTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRibinRecalcTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPRibinRecalcTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPRibinRecalcTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1596 + # panROUTINGRoutedBGPRiboutRecalcTrap + # + # An RIB-Out is being recalculated as a result of changed export policy. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRiboutRecalcTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRiboutRecalcTrap" + root.out.event.category.name = "panROUTINGRoutedBGPRiboutRecalcTrap" + root.out.event.message = "panROUTINGRoutedBGPRiboutRecalcTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRiboutRecalcTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panROUTINGRoutedBGPRiboutRecalcTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panROUTINGRoutedBGPRiboutRecalcTrap - UNEXPECTED VARBINDS for panROUTINGRoutedBGPRiboutRecalcTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1600 + # panSSLVPNSslvpnRegistSuccTrap + # + # SSL VPN user login succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistSuccTrap" + root.out.event.category.name = "panSSLVPNSslvpnRegistSuccTrap" + root.out.event.message = "panSSLVPNSslvpnRegistSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnRegistSuccTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnRegistSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1601 + # panSSLVPNSslvpnRegistFailTrap + # + # SSL VPN user login failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistFailTrap" + root.out.event.category.name = "panSSLVPNSslvpnRegistFailTrap" + root.out.event.message = "panSSLVPNSslvpnRegistFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnRegistFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnRegistFailTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnRegistFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1602 + # panSSLVPNSslvpnLogoutSuccTrap + # + # SSL VPN user logout succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutSuccTrap" + root.out.event.category.name = "panSSLVPNSslvpnLogoutSuccTrap" + root.out.event.message = "panSSLVPNSslvpnLogoutSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnLogoutSuccTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnLogoutSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1603 + # panSSLVPNSslvpnLogoutFailTrap + # + # SSL VPN user logout failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutFailTrap" + root.out.event.category.name = "panSSLVPNSslvpnLogoutFailTrap" + root.out.event.message = "panSSLVPNSslvpnLogoutFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnLogoutFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnLogoutFailTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnLogoutFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1604 + # panSSLVPNSslvpnConfigSuccTrap + # + # SSL VPN client configuration generated. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigSuccTrap" + root.out.event.category.name = "panSSLVPNSslvpnConfigSuccTrap" + root.out.event.message = "panSSLVPNSslvpnConfigSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnConfigSuccTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnConfigSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1605 + # panSSLVPNSslvpnConfigFailTrap + # + # SSL VPN client configuration failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigFailTrap" + root.out.event.category.name = "panSSLVPNSslvpnConfigFailTrap" + root.out.event.message = "panSSLVPNSslvpnConfigFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnConfigFailTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnConfigFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1606 + # panSSLVPNSslvpnConfigReleaseTrap + # + # SSL VPN client configuration released. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigReleaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigReleaseTrap" + root.out.event.category.name = "panSSLVPNSslvpnConfigReleaseTrap" + root.out.event.message = "panSSLVPNSslvpnConfigReleaseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigReleaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnConfigReleaseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnConfigReleaseTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnConfigReleaseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1607 + # panSSLVPNSslvpnSwitchSuccTrap + # + # SSL VPN client switch to SSL tunnel mode succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchSuccTrap" + root.out.event.category.name = "panSSLVPNSslvpnSwitchSuccTrap" + root.out.event.message = "panSSLVPNSslvpnSwitchSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnSwitchSuccTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnSwitchSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1608 + # panSSLVPNSslvpnSwitchFailTrap + # + # SSL VPN client switch to SSL tunnel mode failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchFailTrap" + root.out.event.category.name = "panSSLVPNSslvpnSwitchFailTrap" + root.out.event.message = "panSSLVPNSslvpnSwitchFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnSwitchFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnSwitchFailTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnSwitchFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1609 + # panSSLVPNSslvpnAuthSuccTrap + # + # SSL VPN user authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthSuccTrap" + root.out.event.category.name = "panSSLVPNSslvpnAuthSuccTrap" + root.out.event.message = "panSSLVPNSslvpnAuthSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnAuthSuccTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnAuthSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1610 + # panSSLVPNSslvpnAuthFailTrap + # + # SSL VPN user authentication failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthFailTrap" + root.out.event.category.name = "panSSLVPNSslvpnAuthFailTrap" + root.out.event.message = "panSSLVPNSslvpnAuthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLVPNSslvpnAuthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLVPNSslvpnAuthFailTrap - UNEXPECTED VARBINDS for panSSLVPNSslvpnAuthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1700 + # panVPNIkeConfigP1SuccessTrap + # + # IKE daemon configuration load phase-1 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1SuccessTrap" + root.out.event.category.name = "panVPNIkeConfigP1SuccessTrap" + root.out.event.message = "panVPNIkeConfigP1SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeConfigP1SuccessTrap - UNEXPECTED VARBINDS for panVPNIkeConfigP1SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1701 + # panVPNIkeConfigP1FailedTrap + # + # IKE daemon configuration load phase-1 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1FailedTrap" + root.out.event.category.name = "panVPNIkeConfigP1FailedTrap" + root.out.event.message = "panVPNIkeConfigP1FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeConfigP1FailedTrap - UNEXPECTED VARBINDS for panVPNIkeConfigP1FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1702 + # panVPNIkeConfigP1AbortTrap + # + # IKE daemon configuration load phase-1 aborted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1AbortTrap" + root.out.event.category.name = "panVPNIkeConfigP1AbortTrap" + root.out.event.message = "panVPNIkeConfigP1AbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP1AbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeConfigP1AbortTrap - UNEXPECTED VARBINDS for panVPNIkeConfigP1AbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1703 + # panVPNIkeConfigP2SuccessTrap + # + # IKE daemon configuration load phase-2 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2SuccessTrap" + root.out.event.category.name = "panVPNIkeConfigP2SuccessTrap" + root.out.event.message = "panVPNIkeConfigP2SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeConfigP2SuccessTrap - UNEXPECTED VARBINDS for panVPNIkeConfigP2SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1704 + # panVPNIkeConfigP2FailedTrap + # + # IKE daemon configuration load phase-2 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2FailedTrap" + root.out.event.category.name = "panVPNIkeConfigP2FailedTrap" + root.out.event.message = "panVPNIkeConfigP2FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeConfigP2FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeConfigP2FailedTrap - UNEXPECTED VARBINDS for panVPNIkeConfigP2FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1705 + # panVPNIkeDaemonStartTrap + # + # IKE daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonStartTrap" + root.out.event.category.name = "panVPNIkeDaemonStartTrap" + root.out.event.message = "panVPNIkeDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeDaemonStartTrap - UNEXPECTED VARBINDS for panVPNIkeDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1706 + # panVPNIkeDaemonExitTrap + # + # IKE daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonExitTrap" + root.out.event.category.name = "panVPNIkeDaemonExitTrap" + root.out.event.message = "panVPNIkeDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeDaemonExitTrap - UNEXPECTED VARBINDS for panVPNIkeDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1707 + # panVPNIkeDaemonInitTrap + # + # IKE daemon is initializing. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonInitTrap" + root.out.event.category.name = "panVPNIkeDaemonInitTrap" + root.out.event.message = "panVPNIkeDaemonInitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeDaemonInitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeDaemonInitTrap - UNEXPECTED VARBINDS for panVPNIkeDaemonInitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1708 + # panVPNIkeNegoP1StartTrap + # + # IKE phase-1 negotiation is started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1StartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1StartTrap" + root.out.event.category.name = "panVPNIkeNegoP1StartTrap" + root.out.event.message = "panVPNIkeNegoP1StartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1StartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1StartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1StartTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1StartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1709 + # panVPNIkeNegoP1FailTrap + # + # IKE phase-1 negotiation is failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailTrap" + root.out.event.category.name = "panVPNIkeNegoP1FailTrap" + root.out.event.message = "panVPNIkeNegoP1FailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1FailTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1FailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1710 + # panVPNIkeNegoP1SuccTrap + # + # IKE phase-1 negotiation is succeeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1SuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1SuccTrap" + root.out.event.category.name = "panVPNIkeNegoP1SuccTrap" + root.out.event.message = "panVPNIkeNegoP1SuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1SuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1SuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1SuccTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1SuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1711 + # panVPNIkeNegoP1ExpireTrap + # + # IKE phase-1 SA is expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1ExpireTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1ExpireTrap" + root.out.event.category.name = "panVPNIkeNegoP1ExpireTrap" + root.out.event.message = "panVPNIkeNegoP1ExpireTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1ExpireTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1ExpireTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1ExpireTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1ExpireTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1712 + # panVPNIkeNegoP1DeleteTrap + # + # IKE phase-1 SA is deleted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DeleteTrap" + root.out.event.category.name = "panVPNIkeNegoP1DeleteTrap" + root.out.event.message = "panVPNIkeNegoP1DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1DeleteTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1713 + # panVPNIkeNegoP1DpdDnTrap + # + # IKE phase-1 SA is down determined by DPD. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DpdDnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DpdDnTrap" + root.out.event.category.name = "panVPNIkeNegoP1DpdDnTrap" + root.out.event.message = "panVPNIkeNegoP1DpdDnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DpdDnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1DpdDnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1DpdDnTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1DpdDnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1714 + # panVPNIkeNegoP1PskIdtypeTrap + # + # IKE phase-1 negotiation is failed. When pre-shared key is used peer-ID must be type IP address. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1PskIdtypeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1PskIdtypeTrap" + root.out.event.category.name = "panVPNIkeNegoP1PskIdtypeTrap" + root.out.event.message = "panVPNIkeNegoP1PskIdtypeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1PskIdtypeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1PskIdtypeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1PskIdtypeTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1PskIdtypeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1715 + # panVPNIkeNegoP1FailPskTrap + # + # IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailPskTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailPskTrap" + root.out.event.category.name = "panVPNIkeNegoP1FailPskTrap" + root.out.event.message = "panVPNIkeNegoP1FailPskTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailPskTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailPskTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1FailPskTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1FailPskTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1716 + # panVPNIkeNegoP1FailCommonTrap + # + # IKE phase-1 negotiation is failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCommonTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCommonTrap" + root.out.event.category.name = "panVPNIkeNegoP1FailCommonTrap" + root.out.event.message = "panVPNIkeNegoP1FailCommonTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCommonTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCommonTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1FailCommonTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1FailCommonTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1717 + # panVPNIkeNegoP2StartTrap + # + # IKE phase-2 negotiation is started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StartTrap" + root.out.event.category.name = "panVPNIkeNegoP2StartTrap" + root.out.event.message = "panVPNIkeNegoP2StartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2StartTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2StartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1718 + # panVPNIkeNegoP2FailTrap + # + # IKE phase-2 negotiation is failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2FailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2FailTrap" + root.out.event.category.name = "panVPNIkeNegoP2FailTrap" + root.out.event.message = "panVPNIkeNegoP2FailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2FailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2FailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2FailTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2FailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1719 + # panVPNIkeNegoP2SuccTrap + # + # IKE phase-2 negotiation is succeeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SuccTrap" + root.out.event.category.name = "panVPNIkeNegoP2SuccTrap" + root.out.event.message = "panVPNIkeNegoP2SuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2SuccTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2SuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1720 + # panVPNIkeNegoP2StaleP1Trap + # + # Deleting a possible stale phase-1 SA. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StaleP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StaleP1Trap" + root.out.event.category.name = "panVPNIkeNegoP2StaleP1Trap" + root.out.event.message = "panVPNIkeNegoP2StaleP1Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StaleP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2StaleP1Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2StaleP1Trap - UNEXPECTED VARBINDS for panVPNIkeNegoP2StaleP1Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1721 + # panVPNIkeNegoP2DupRekeyTrap + # + # duplicate phase-2 rekey request detected ignore new request. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2DupRekeyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2DupRekeyTrap" + root.out.event.category.name = "panVPNIkeNegoP2DupRekeyTrap" + root.out.event.message = "panVPNIkeNegoP2DupRekeyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2DupRekeyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2DupRekeyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2DupRekeyTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2DupRekeyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1722 + # panVPNIkeNegoP2SimulContTrap + # + # simultaneous phase-2 rekey request detected peer is PANOS. Ignore this new request. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulContTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulContTrap" + root.out.event.category.name = "panVPNIkeNegoP2SimulContTrap" + root.out.event.message = "panVPNIkeNegoP2SimulContTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulContTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulContTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2SimulContTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2SimulContTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1723 + # panVPNIkeNegoP2SimulFailTrap + # + # simultaneous phase-2 rekey request detected peer is PANOS. Previous request removed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulFailTrap" + root.out.event.category.name = "panVPNIkeNegoP2SimulFailTrap" + root.out.event.message = "panVPNIkeNegoP2SimulFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2SimulFailTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2SimulFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1724 + # panVPNIkeNegoP2SimulDelayTrap + # + # simultaneous phase-2 rekey request detected peer is not PANOS. Delay processing this new request. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulDelayTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulDelayTrap" + root.out.event.category.name = "panVPNIkeNegoP2SimulDelayTrap" + root.out.event.message = "panVPNIkeNegoP2SimulDelayTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulDelayTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2SimulDelayTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2SimulDelayTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2SimulDelayTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1725 + # panVPNIkeNegoP2NoP1Trap + # + # IKE phase-2 negotiation request received but no phase-1 SA is found. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2NoP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2NoP1Trap" + root.out.event.category.name = "panVPNIkeNegoP2NoP1Trap" + root.out.event.message = "panVPNIkeNegoP2NoP1Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2NoP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2NoP1Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2NoP1Trap - UNEXPECTED VARBINDS for panVPNIkeNegoP2NoP1Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1726 + # panVPNIkeNegoP2P1NotReadyTrap + # + # IKE phase-2 negotiation request received but no active phase-1 SA is available. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2P1NotReadyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2P1NotReadyTrap" + root.out.event.category.name = "panVPNIkeNegoP2P1NotReadyTrap" + root.out.event.message = "panVPNIkeNegoP2P1NotReadyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2P1NotReadyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2P1NotReadyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2P1NotReadyTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2P1NotReadyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1727 + # panVPNIkeNegoP2ProxyIdBadTrap + # + # IKE phase-2 negotiation failed when processing proxy ID. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProxyIdBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProxyIdBadTrap" + root.out.event.category.name = "panVPNIkeNegoP2ProxyIdBadTrap" + root.out.event.message = "panVPNIkeNegoP2ProxyIdBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProxyIdBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProxyIdBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2ProxyIdBadTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2ProxyIdBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1728 + # panVPNIkeNegoP2ProposalBadTrap + # + # IKE phase-2 negotiation failed when processing SA payload. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProposalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProposalBadTrap" + root.out.event.category.name = "panVPNIkeNegoP2ProposalBadTrap" + root.out.event.message = "panVPNIkeNegoP2ProposalBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProposalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP2ProposalBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP2ProposalBadTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP2ProposalBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1729 + # panVPNIpsecKeyInstallTrap + # + # IPSec key installed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyInstallTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyInstallTrap" + root.out.event.category.name = "panVPNIpsecKeyInstallTrap" + root.out.event.message = "panVPNIpsecKeyInstallTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyInstallTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyInstallTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIpsecKeyInstallTrap - UNEXPECTED VARBINDS for panVPNIpsecKeyInstallTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1730 + # panVPNIpsecKeyDeleteTrap + # + # IPSec key deleted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyDeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyDeleteTrap" + root.out.event.category.name = "panVPNIpsecKeyDeleteTrap" + root.out.event.message = "panVPNIpsecKeyDeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyDeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyDeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIpsecKeyDeleteTrap - UNEXPECTED VARBINDS for panVPNIpsecKeyDeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1731 + # panVPNIpsecKeyExpireTrap + # + # IPSec key lifetime expired. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyExpireTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyExpireTrap" + root.out.event.category.name = "panVPNIpsecKeyExpireTrap" + root.out.event.message = "panVPNIpsecKeyExpireTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyExpireTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIpsecKeyExpireTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIpsecKeyExpireTrap - UNEXPECTED VARBINDS for panVPNIpsecKeyExpireTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1732 + # panVPNIkeRecvNotifyTrap + # + # IKE protocol notification message received: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvNotifyTrap" + root.out.event.category.name = "panVPNIkeRecvNotifyTrap" + root.out.event.message = "panVPNIkeRecvNotifyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvNotifyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeRecvNotifyTrap - UNEXPECTED VARBINDS for panVPNIkeRecvNotifyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1733 + # panVPNIkeRecvP1DeleteTrap + # + # IKE protocol phase-1 SA delete message received from peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP1DeleteTrap" + root.out.event.category.name = "panVPNIkeRecvP1DeleteTrap" + root.out.event.message = "panVPNIkeRecvP1DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP1DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeRecvP1DeleteTrap - UNEXPECTED VARBINDS for panVPNIkeRecvP1DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1734 + # panVPNIkeRecvP2DeleteTrap + # + # IKE protocol IPSec SA delete message received from peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP2DeleteTrap" + root.out.event.category.name = "panVPNIkeRecvP2DeleteTrap" + root.out.event.message = "panVPNIkeRecvP2DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeRecvP2DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeRecvP2DeleteTrap - UNEXPECTED VARBINDS for panVPNIkeRecvP2DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1735 + # panVPNIkeSendNotifyTrap + # + # IKE protocol notification message sent: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendNotifyTrap" + root.out.event.category.name = "panVPNIkeSendNotifyTrap" + root.out.event.message = "panVPNIkeSendNotifyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendNotifyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeSendNotifyTrap - UNEXPECTED VARBINDS for panVPNIkeSendNotifyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1736 + # panVPNIkeSendP1DeleteTrap + # + # IKE protocol phase-1 SA delete message sent to peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP1DeleteTrap" + root.out.event.category.name = "panVPNIkeSendP1DeleteTrap" + root.out.event.message = "panVPNIkeSendP1DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP1DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeSendP1DeleteTrap - UNEXPECTED VARBINDS for panVPNIkeSendP1DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1737 + # panVPNIkeSendP2DeleteTrap + # + # IKE protocol IPSec SA delete message sent to peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP2DeleteTrap" + root.out.event.category.name = "panVPNIkeSendP2DeleteTrap" + root.out.event.message = "panVPNIkeSendP2DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeSendP2DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeSendP2DeleteTrap - UNEXPECTED VARBINDS for panVPNIkeSendP2DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1738 + # panVPNIkev2NegoIkeStartTrap + # + # IKEv2 IKE SA negotiation is started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeStartTrap" + root.out.event.category.name = "panVPNIkev2NegoIkeStartTrap" + root.out.event.message = "panVPNIkev2NegoIkeStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoIkeStartTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoIkeStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1739 + # panVPNIkev2NegoIkeFailTrap + # + # IKEv2 IKE SA negotiation is failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeFailTrap" + root.out.event.category.name = "panVPNIkev2NegoIkeFailTrap" + root.out.event.message = "panVPNIkev2NegoIkeFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoIkeFailTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoIkeFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1740 + # panVPNIkev2NegoIkeSuccTrap + # + # IKEv2 IKE SA negotiation is succeeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeSuccTrap" + root.out.event.category.name = "panVPNIkev2NegoIkeSuccTrap" + root.out.event.message = "panVPNIkev2NegoIkeSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoIkeSuccTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoIkeSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1741 + # panVPNIkev2NegoIkeExpireTrap + # + # IKEv2 IKE SA is expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeExpireTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeExpireTrap" + root.out.event.category.name = "panVPNIkev2NegoIkeExpireTrap" + root.out.event.message = "panVPNIkev2NegoIkeExpireTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeExpireTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeExpireTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoIkeExpireTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoIkeExpireTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1742 + # panVPNIkev2NegoIkeDeleteTrap + # + # IKEv2 IKE SA is deleted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDeleteTrap" + root.out.event.category.name = "panVPNIkev2NegoIkeDeleteTrap" + root.out.event.message = "panVPNIkev2NegoIkeDeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoIkeDeleteTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoIkeDeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1743 + # panVPNIkev2NegoChildStartTrap + # + # IKEv2 Child SA negotiation is started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildStartTrap" + root.out.event.category.name = "panVPNIkev2NegoChildStartTrap" + root.out.event.message = "panVPNIkev2NegoChildStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildStartTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1744 + # panVPNIkev2NegoChildFailTrap + # + # IKEv2 Child SA negotiation is failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildFailTrap" + root.out.event.category.name = "panVPNIkev2NegoChildFailTrap" + root.out.event.message = "panVPNIkev2NegoChildFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildFailTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1745 + # panVPNIkev2NegoChildSuccTrap + # + # IKEv2 Child SA negotiation is succeeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSuccTrap" + root.out.event.category.name = "panVPNIkev2NegoChildSuccTrap" + root.out.event.message = "panVPNIkev2NegoChildSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildSuccTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1746 + # panVPNTunnelStatusUpTrap + # + # Tunnel status change to UP. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusUpTrap" + root.out.event.category.name = "panVPNTunnelStatusUpTrap" + root.out.event.message = "panVPNTunnelStatusUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNTunnelStatusUpTrap - UNEXPECTED VARBINDS for panVPNTunnelStatusUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1747 + # panVPNTunnelStatusDownTrap + # + # Tunnel status change to DOWN. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusDownTrap" + root.out.event.category.name = "panVPNTunnelStatusDownTrap" + root.out.event.message = "panVPNTunnelStatusDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNTunnelStatusDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNTunnelStatusDownTrap - UNEXPECTED VARBINDS for panVPNTunnelStatusDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1748 + # panVPNKeymgrDaemonStartTrap + # + # KEYMGR daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonStartTrap" + root.out.event.category.name = "panVPNKeymgrDaemonStartTrap" + root.out.event.message = "panVPNKeymgrDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrDaemonStartTrap - UNEXPECTED VARBINDS for panVPNKeymgrDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1749 + # panVPNKeymgrDaemonExitTrap + # + # KEYMGR daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonExitTrap" + root.out.event.category.name = "panVPNKeymgrDaemonExitTrap" + root.out.event.message = "panVPNKeymgrDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrDaemonExitTrap - UNEXPECTED VARBINDS for panVPNKeymgrDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1750 + # panVPNKeymgrDaemonInitTrap + # + # KEYMGR daemon is initializing. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonInitTrap" + root.out.event.category.name = "panVPNKeymgrDaemonInitTrap" + root.out.event.message = "panVPNKeymgrDaemonInitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrDaemonInitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrDaemonInitTrap - UNEXPECTED VARBINDS for panVPNKeymgrDaemonInitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1751 + # panVPNKeymgrFlowFullSyncStartTrap + # + # KEYMGR sync all IPSec SA to Flow started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncStartTrap" + root.out.event.category.name = "panVPNKeymgrFlowFullSyncStartTrap" + root.out.event.message = "panVPNKeymgrFlowFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrFlowFullSyncStartTrap - UNEXPECTED VARBINDS for panVPNKeymgrFlowFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1752 + # panVPNKeymgrFlowFullSyncAbortTrap + # + # KEYMGR sync all IPSec SA to Flow no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncAbortTrap" + root.out.event.category.name = "panVPNKeymgrFlowFullSyncAbortTrap" + root.out.event.message = "panVPNKeymgrFlowFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrFlowFullSyncAbortTrap - UNEXPECTED VARBINDS for panVPNKeymgrFlowFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1753 + # panVPNKeymgrFlowFullSyncDoneTrap + # + # KEYMGR sync all IPSec SA to Flow exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncDoneTrap" + root.out.event.category.name = "panVPNKeymgrFlowFullSyncDoneTrap" + root.out.event.message = "panVPNKeymgrFlowFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrFlowFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrFlowFullSyncDoneTrap - UNEXPECTED VARBINDS for panVPNKeymgrFlowFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1754 + # panVPNKeymgrIkeFullSyncStartTrap + # + # KEYMGR sync all IPSec SA to IKE daemon started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncStartTrap" + root.out.event.category.name = "panVPNKeymgrIkeFullSyncStartTrap" + root.out.event.message = "panVPNKeymgrIkeFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrIkeFullSyncStartTrap - UNEXPECTED VARBINDS for panVPNKeymgrIkeFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1755 + # panVPNKeymgrIkeFullSyncAbortTrap + # + # KEYMGR sync all IPSec SA to IKE daemon no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncAbortTrap" + root.out.event.category.name = "panVPNKeymgrIkeFullSyncAbortTrap" + root.out.event.message = "panVPNKeymgrIkeFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrIkeFullSyncAbortTrap - UNEXPECTED VARBINDS for panVPNKeymgrIkeFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1756 + # panVPNKeymgrIkeFullSyncDoneTrap + # + # KEYMGR sync all IPSec SA to IKE daemon exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncDoneTrap" + root.out.event.category.name = "panVPNKeymgrIkeFullSyncDoneTrap" + root.out.event.message = "panVPNKeymgrIkeFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrIkeFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrIkeFullSyncDoneTrap - UNEXPECTED VARBINDS for panVPNKeymgrIkeFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1757 + # panVPNKeymgrHaFullSyncStartTrap + # + # KEYMGR sync all IPSec SA to HA peer started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncStartTrap" + root.out.event.category.name = "panVPNKeymgrHaFullSyncStartTrap" + root.out.event.message = "panVPNKeymgrHaFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrHaFullSyncStartTrap - UNEXPECTED VARBINDS for panVPNKeymgrHaFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1758 + # panVPNKeymgrHaFullSyncAbortTrap + # + # KEYMGR sync all IPSec SA to HA peer no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncAbortTrap" + root.out.event.category.name = "panVPNKeymgrHaFullSyncAbortTrap" + root.out.event.message = "panVPNKeymgrHaFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrHaFullSyncAbortTrap - UNEXPECTED VARBINDS for panVPNKeymgrHaFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1759 + # panVPNKeymgrHaFullSyncDoneTrap + # + # KEYMGR sync all IPSec SA to HA peer exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncDoneTrap" + root.out.event.category.name = "panVPNKeymgrHaFullSyncDoneTrap" + root.out.event.message = "panVPNKeymgrHaFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrHaFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrHaFullSyncDoneTrap - UNEXPECTED VARBINDS for panVPNKeymgrHaFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1760 + # panVPNIkeGenericEventTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeGenericEventTrap" + root.out.event.category.name = "panVPNIkeGenericEventTrap" + root.out.event.message = "panVPNIkeGenericEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeGenericEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeGenericEventTrap - UNEXPECTED VARBINDS for panVPNIkeGenericEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1761 + # panVPNKeymgrGenericEventTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrGenericEventTrap" + root.out.event.category.name = "panVPNKeymgrGenericEventTrap" + root.out.event.message = "panVPNKeymgrGenericEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNKeymgrGenericEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNKeymgrGenericEventTrap - UNEXPECTED VARBINDS for panVPNKeymgrGenericEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1762 + # panVPNIkeNegoP1FailCertTrap + # + # IKE phase-1 negotiation is failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCertTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCertTrap" + root.out.event.category.name = "panVPNIkeNegoP1FailCertTrap" + root.out.event.message = "panVPNIkeNegoP1FailCertTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCertTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1FailCertTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1FailCertTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1FailCertTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1763 + # panVPNIkeNegoP1CertIdMismatchTrap + # + # IKE phase-1 negotiation failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertIdMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertIdMismatchTrap" + root.out.event.category.name = "panVPNIkeNegoP1CertIdMismatchTrap" + root.out.event.message = "panVPNIkeNegoP1CertIdMismatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertIdMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertIdMismatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1CertIdMismatchTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1CertIdMismatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1764 + # panVPNIkeNegoP1CertSuccTrap + # + # IKE certificate authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertSuccTrap" + root.out.event.category.name = "panVPNIkeNegoP1CertSuccTrap" + root.out.event.message = "panVPNIkeNegoP1CertSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeNegoP1CertSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeNegoP1CertSuccTrap - UNEXPECTED VARBINDS for panVPNIkeNegoP1CertSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1765 + # panVPNIkev2NegoIkeDpdDnTrap + # + # IKEv2 IKE SA is down determined by DPD. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDpdDnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDpdDnTrap" + root.out.event.category.name = "panVPNIkev2NegoIkeDpdDnTrap" + root.out.event.message = "panVPNIkev2NegoIkeDpdDnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDpdDnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoIkeDpdDnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoIkeDpdDnTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoIkeDpdDnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1766 + # panVPNIkev2NegoPskIdtypeTrap + # + # IKEv2 SA negotiation is failed. When pre-shared key is used, peer-ID must be type IP address. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoPskIdtypeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoPskIdtypeTrap" + root.out.event.category.name = "panVPNIkev2NegoPskIdtypeTrap" + root.out.event.message = "panVPNIkev2NegoPskIdtypeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoPskIdtypeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoPskIdtypeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoPskIdtypeTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoPskIdtypeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1767 + # panVPNIkev2NegoFailPskTrap + # + # IKEv2 SA negotiation is failed likely due to pre-shared key mismatch. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailPskTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailPskTrap" + root.out.event.category.name = "panVPNIkev2NegoFailPskTrap" + root.out.event.message = "panVPNIkev2NegoFailPskTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailPskTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailPskTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoFailPskTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoFailPskTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1768 + # panVPNIkev2NegoFailCommonTrap + # + # IKEv2 SA negotiation is failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCommonTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCommonTrap" + root.out.event.category.name = "panVPNIkev2NegoFailCommonTrap" + root.out.event.message = "panVPNIkev2NegoFailCommonTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCommonTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCommonTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoFailCommonTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoFailCommonTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1769 + # panVPNIkev2NegoFailCertTrap + # + # IKEv2 certificate authentication failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCertTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCertTrap" + root.out.event.category.name = "panVPNIkev2NegoFailCertTrap" + root.out.event.message = "panVPNIkev2NegoFailCertTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCertTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailCertTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoFailCertTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoFailCertTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1770 + # panVPNIkev2NegoCertIdMismatchTrap + # + # IKEv2 SA negotiation failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertIdMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertIdMismatchTrap" + root.out.event.category.name = "panVPNIkev2NegoCertIdMismatchTrap" + root.out.event.message = "panVPNIkev2NegoCertIdMismatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertIdMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertIdMismatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoCertIdMismatchTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoCertIdMismatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1771 + # panVPNIkev2NegoCertSuccTrap + # + # IKEv2 certificate authentication succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertSuccTrap" + root.out.event.category.name = "panVPNIkev2NegoCertSuccTrap" + root.out.event.message = "panVPNIkev2NegoCertSuccTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertSuccTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoCertSuccTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoCertSuccTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoCertSuccTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1772 + # panVPNIkev2NegoUseV1Trap + # + # IKEv1 is used in IKEv2 preferred mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoUseV1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoUseV1Trap" + root.out.event.category.name = "panVPNIkev2NegoUseV1Trap" + root.out.event.message = "panVPNIkev2NegoUseV1Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoUseV1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoUseV1Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoUseV1Trap - UNEXPECTED VARBINDS for panVPNIkev2NegoUseV1Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1773 + # panVPNIkev2NegoStaleP1Trap + # + # Deleting a possible stale IKE SA. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP1Trap" + root.out.event.category.name = "panVPNIkev2NegoStaleP1Trap" + root.out.event.message = "panVPNIkev2NegoStaleP1Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP1Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoStaleP1Trap - UNEXPECTED VARBINDS for panVPNIkev2NegoStaleP1Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1774 + # panVPNIkev2NegoStaleP2Trap + # + # Deleting a possible stale IKEv2 child SA. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP2Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP2Trap" + root.out.event.category.name = "panVPNIkev2NegoStaleP2Trap" + root.out.event.message = "panVPNIkev2NegoStaleP2Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP2Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoStaleP2Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoStaleP2Trap - UNEXPECTED VARBINDS for panVPNIkev2NegoStaleP2Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1775 + # panVPNIkev2NegoChildDupRekeyTrap + # + # duplicate child SA rekey request detected, ignore new request. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildDupRekeyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildDupRekeyTrap" + root.out.event.category.name = "panVPNIkev2NegoChildDupRekeyTrap" + root.out.event.message = "panVPNIkev2NegoChildDupRekeyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildDupRekeyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildDupRekeyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildDupRekeyTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildDupRekeyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1776 + # panVPNIkev2NegoChildSimulContTrap + # + # simultaneous child SA rekey request detected, peer is PANOS. Ignore this new request. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulContTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulContTrap" + root.out.event.category.name = "panVPNIkev2NegoChildSimulContTrap" + root.out.event.message = "panVPNIkev2NegoChildSimulContTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulContTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulContTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildSimulContTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildSimulContTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1777 + # panVPNIkev2NegoChildSimulFailTrap + # + # simultaneous child SA rekey request detected, peer is PANOS. Previous request removed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulFailTrap" + root.out.event.category.name = "panVPNIkev2NegoChildSimulFailTrap" + root.out.event.message = "panVPNIkev2NegoChildSimulFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildSimulFailTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildSimulFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1778 + # panVPNIkev2NegoChildSimulDelayTrap + # + # simultaneous child SA rekey request detected, peer is not PANOS. Delay processing this new request. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulDelayTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulDelayTrap" + root.out.event.category.name = "panVPNIkev2NegoChildSimulDelayTrap" + root.out.event.message = "panVPNIkev2NegoChildSimulDelayTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulDelayTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildSimulDelayTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildSimulDelayTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildSimulDelayTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1779 + # panVPNIkev2NegoChildNoP1Trap + # + # IKEv2 child SA negotiation request received but no IKE SA is found. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildNoP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildNoP1Trap" + root.out.event.category.name = "panVPNIkev2NegoChildNoP1Trap" + root.out.event.message = "panVPNIkev2NegoChildNoP1Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildNoP1Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildNoP1Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildNoP1Trap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildNoP1Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1780 + # panVPNIkev2NegoChildP1NotReadyTrap + # + # IKEv2 child SA negotiation request received but no active IKE SA is available. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildP1NotReadyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildP1NotReadyTrap" + root.out.event.category.name = "panVPNIkev2NegoChildP1NotReadyTrap" + root.out.event.message = "panVPNIkev2NegoChildP1NotReadyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildP1NotReadyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildP1NotReadyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildP1NotReadyTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildP1NotReadyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1781 + # panVPNIkev2NegoChildTsBadTrap + # + # IKEv2 child SA negotiation failed when processing traffic selector. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildTsBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildTsBadTrap" + root.out.event.category.name = "panVPNIkev2NegoChildTsBadTrap" + root.out.event.message = "panVPNIkev2NegoChildTsBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildTsBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildTsBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildTsBadTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildTsBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1782 + # panVPNIkev2NegoChildProposalBadTrap + # + # IKEv2 child SA negotiation failed when processing SA payload. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildProposalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildProposalBadTrap" + root.out.event.category.name = "panVPNIkev2NegoChildProposalBadTrap" + root.out.event.message = "panVPNIkev2NegoChildProposalBadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildProposalBadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoChildProposalBadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoChildProposalBadTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoChildProposalBadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1783 + # panVPNIkev2RecvNotifyTrap + # + # IKEv2 notification message received: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvNotifyTrap" + root.out.event.category.name = "panVPNIkev2RecvNotifyTrap" + root.out.event.message = "panVPNIkev2RecvNotifyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvNotifyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2RecvNotifyTrap - UNEXPECTED VARBINDS for panVPNIkev2RecvNotifyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1784 + # panVPNIkev2RecvP1DeleteTrap + # + # IKEv2 IKE SA delete message received from peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP1DeleteTrap" + root.out.event.category.name = "panVPNIkev2RecvP1DeleteTrap" + root.out.event.message = "panVPNIkev2RecvP1DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP1DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2RecvP1DeleteTrap - UNEXPECTED VARBINDS for panVPNIkev2RecvP1DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1785 + # panVPNIkev2RecvP2DeleteTrap + # + # IKEv2 IPSec SA delete message received from peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP2DeleteTrap" + root.out.event.category.name = "panVPNIkev2RecvP2DeleteTrap" + root.out.event.message = "panVPNIkev2RecvP2DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2RecvP2DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2RecvP2DeleteTrap - UNEXPECTED VARBINDS for panVPNIkev2RecvP2DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1786 + # panVPNIkev2SendNotifyTrap + # + # IKEv2 notification message sent: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendNotifyTrap" + root.out.event.category.name = "panVPNIkev2SendNotifyTrap" + root.out.event.message = "panVPNIkev2SendNotifyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendNotifyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendNotifyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2SendNotifyTrap - UNEXPECTED VARBINDS for panVPNIkev2SendNotifyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1787 + # panVPNIkev2SendP1DeleteTrap + # + # IKEv2 IKE SA delete message sent to peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP1DeleteTrap" + root.out.event.category.name = "panVPNIkev2SendP1DeleteTrap" + root.out.event.message = "panVPNIkev2SendP1DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP1DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP1DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2SendP1DeleteTrap - UNEXPECTED VARBINDS for panVPNIkev2SendP1DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1788 + # panVPNIkev2SendP2DeleteTrap + # + # IKEv2 IPSec SA delete message sent to peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP2DeleteTrap" + root.out.event.category.name = "panVPNIkev2SendP2DeleteTrap" + root.out.event.message = "panVPNIkev2SendP2DeleteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP2DeleteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2SendP2DeleteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2SendP2DeleteTrap - UNEXPECTED VARBINDS for panVPNIkev2SendP2DeleteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1789 + # panVPNSdwanTunnelStatusUpTrap + # + # SD-WAN Tunnel status change to UP. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusUpTrap" + root.out.event.category.name = "panVPNSdwanTunnelStatusUpTrap" + root.out.event.message = "panVPNSdwanTunnelStatusUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNSdwanTunnelStatusUpTrap - UNEXPECTED VARBINDS for panVPNSdwanTunnelStatusUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1790 + # panVPNSdwanTunnelStatusDownTrap + # + # SD-WAN Tunnel status change to DOWN. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusDownTrap" + root.out.event.category.name = "panVPNSdwanTunnelStatusDownTrap" + root.out.event.message = "panVPNSdwanTunnelStatusDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNSdwanTunnelStatusDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNSdwanTunnelStatusDownTrap - UNEXPECTED VARBINDS for panVPNSdwanTunnelStatusDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1791 + # panVPNIkeFqdnDownTrap + # + # IKE fqdn mapping is unresolved + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnDownTrap" + root.out.event.category.name = "panVPNIkeFqdnDownTrap" + root.out.event.message = "panVPNIkeFqdnDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeFqdnDownTrap - UNEXPECTED VARBINDS for panVPNIkeFqdnDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1792 + # panVPNIkeFqdnChangeTrap + # + # IKE fqdn mapping is changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnChangeTrap" + root.out.event.category.name = "panVPNIkeFqdnChangeTrap" + root.out.event.message = "panVPNIkeFqdnChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkeFqdnChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkeFqdnChangeTrap - UNEXPECTED VARBINDS for panVPNIkeFqdnChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1793 + # panVPNIkev2NegoFailFipsTrap + # + # IKEv2 FIPS Security strength check failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailFipsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailFipsTrap" + root.out.event.category.name = "panVPNIkev2NegoFailFipsTrap" + root.out.event.message = "panVPNIkev2NegoFailFipsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailFipsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNIkev2NegoFailFipsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNIkev2NegoFailFipsTrap - UNEXPECTED VARBINDS for panVPNIkev2NegoFailFipsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1794 + # panVPNVpnctlGenericEventTrap + # + # generic event + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlGenericEventTrap" + root.out.event.category.name = "panVPNVpnctlGenericEventTrap" + root.out.event.message = "panVPNVpnctlGenericEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlGenericEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNVpnctlGenericEventTrap - UNEXPECTED VARBINDS for panVPNVpnctlGenericEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1795 + # panVPNVpnctlIkeUpdownEventTrap + # + # ike SA updown + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeUpdownEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeUpdownEventTrap" + root.out.event.category.name = "panVPNVpnctlIkeUpdownEventTrap" + root.out.event.message = "panVPNVpnctlIkeUpdownEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeUpdownEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeUpdownEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNVpnctlIkeUpdownEventTrap - UNEXPECTED VARBINDS for panVPNVpnctlIkeUpdownEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1796 + # panVPNVpnctlIkeRekeyEventTrap + # + # ike SA rekey + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeRekeyEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeRekeyEventTrap" + root.out.event.category.name = "panVPNVpnctlIkeRekeyEventTrap" + root.out.event.message = "panVPNVpnctlIkeRekeyEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeRekeyEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlIkeRekeyEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNVpnctlIkeRekeyEventTrap - UNEXPECTED VARBINDS for panVPNVpnctlIkeRekeyEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1797 + # panVPNVpnctlChildUpdownEventTrap + # + # child SA updown + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildUpdownEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildUpdownEventTrap" + root.out.event.category.name = "panVPNVpnctlChildUpdownEventTrap" + root.out.event.message = "panVPNVpnctlChildUpdownEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildUpdownEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildUpdownEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNVpnctlChildUpdownEventTrap - UNEXPECTED VARBINDS for panVPNVpnctlChildUpdownEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1798 + # panVPNVpnctlChildRekeyEventTrap + # + # child SA rekey + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildRekeyEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildRekeyEventTrap" + root.out.event.category.name = "panVPNVpnctlChildRekeyEventTrap" + root.out.event.message = "panVPNVpnctlChildRekeyEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildRekeyEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVPNVpnctlChildRekeyEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVPNVpnctlChildRekeyEventTrap - UNEXPECTED VARBINDS for panVPNVpnctlChildRekeyEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1800 + # panSATDSatdConfigP1SuccessTrap + # + # SATD daemon configuration load phase-1 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1SuccessTrap" + root.out.event.category.name = "panSATDSatdConfigP1SuccessTrap" + root.out.event.message = "panSATDSatdConfigP1SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdConfigP1SuccessTrap - UNEXPECTED VARBINDS for panSATDSatdConfigP1SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1801 + # panSATDSatdConfigP1FailedTrap + # + # SATD daemon configuration load phase-1 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1FailedTrap" + root.out.event.category.name = "panSATDSatdConfigP1FailedTrap" + root.out.event.message = "panSATDSatdConfigP1FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdConfigP1FailedTrap - UNEXPECTED VARBINDS for panSATDSatdConfigP1FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1802 + # panSATDSatdConfigP1AbortTrap + # + # SATD daemon configuration load phase-1 aborted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1AbortTrap" + root.out.event.category.name = "panSATDSatdConfigP1AbortTrap" + root.out.event.message = "panSATDSatdConfigP1AbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP1AbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdConfigP1AbortTrap - UNEXPECTED VARBINDS for panSATDSatdConfigP1AbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1803 + # panSATDSatdConfigP2SuccessTrap + # + # SATD daemon configuration load phase-2 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2SuccessTrap" + root.out.event.category.name = "panSATDSatdConfigP2SuccessTrap" + root.out.event.message = "panSATDSatdConfigP2SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdConfigP2SuccessTrap - UNEXPECTED VARBINDS for panSATDSatdConfigP2SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1804 + # panSATDSatdConfigP2FailedTrap + # + # SATD daemon configuration load phase-2 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2FailedTrap" + root.out.event.category.name = "panSATDSatdConfigP2FailedTrap" + root.out.event.message = "panSATDSatdConfigP2FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdConfigP2FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdConfigP2FailedTrap - UNEXPECTED VARBINDS for panSATDSatdConfigP2FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1805 + # panSATDSatdDaemonStartTrap + # + # SATD daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonStartTrap" + root.out.event.category.name = "panSATDSatdDaemonStartTrap" + root.out.event.message = "panSATDSatdDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdDaemonStartTrap - UNEXPECTED VARBINDS for panSATDSatdDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1806 + # panSATDSatdDaemonExitTrap + # + # SATD daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonExitTrap" + root.out.event.category.name = "panSATDSatdDaemonExitTrap" + root.out.event.message = "panSATDSatdDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdDaemonExitTrap - UNEXPECTED VARBINDS for panSATDSatdDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1807 + # panSATDSatdDaemonInitTrap + # + # SATD daemon is initializing. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonInitTrap" + root.out.event.category.name = "panSATDSatdDaemonInitTrap" + root.out.event.message = "panSATDSatdDaemonInitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDaemonInitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdDaemonInitTrap - UNEXPECTED VARBINDS for panSATDSatdDaemonInitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1808 + # panSATDSatdTunUpTrap + # + # Global Protect Site to Site Satellite tunnel is up. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunUpTrap" + root.out.event.category.name = "panSATDSatdTunUpTrap" + root.out.event.message = "panSATDSatdTunUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunUpTrap - UNEXPECTED VARBINDS for panSATDSatdTunUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1809 + # panSATDSatdTunDownTrap + # + # Global Protect Site to Site Satellite tunnel is down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDownTrap" + root.out.event.category.name = "panSATDSatdTunDownTrap" + root.out.event.message = "panSATDSatdTunDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunDownTrap - UNEXPECTED VARBINDS for panSATDSatdTunDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1810 + # panSATDSatdDupSubnetsTrap + # + # Global Protect Site to Site Satellite tunnel has duplicate subnets. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDupSubnetsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDupSubnetsTrap" + root.out.event.category.name = "panSATDSatdDupSubnetsTrap" + root.out.event.message = "panSATDSatdDupSubnetsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDupSubnetsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDupSubnetsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdDupSubnetsTrap - UNEXPECTED VARBINDS for panSATDSatdDupSubnetsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1811 + # panSATDSatdDeniedRoutesTrap + # + # Global Protect Site to Site Satellite tunnel was denied routes. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDeniedRoutesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDeniedRoutesTrap" + root.out.event.category.name = "panSATDSatdDeniedRoutesTrap" + root.out.event.message = "panSATDSatdDeniedRoutesTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDeniedRoutesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdDeniedRoutesTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdDeniedRoutesTrap - UNEXPECTED VARBINDS for panSATDSatdDeniedRoutesTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1812 + # panSATDSatdPortalGatewayDuplicateTrap + # + # GlobalProtect portal config duplicated gateway. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalGatewayDuplicateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalGatewayDuplicateTrap" + root.out.event.category.name = "panSATDSatdPortalGatewayDuplicateTrap" + root.out.event.message = "panSATDSatdPortalGatewayDuplicateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalGatewayDuplicateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalGatewayDuplicateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdPortalGatewayDuplicateTrap - UNEXPECTED VARBINDS for panSATDSatdPortalGatewayDuplicateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1813 + # panSATDSatdFlowFullSyncStartTrap + # + # SATD daemon sync all gateway infos to Flow started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncStartTrap" + root.out.event.category.name = "panSATDSatdFlowFullSyncStartTrap" + root.out.event.message = "panSATDSatdFlowFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdFlowFullSyncStartTrap - UNEXPECTED VARBINDS for panSATDSatdFlowFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1814 + # panSATDSatdFlowFullSyncAbortTrap + # + # SATD daemon sync all gateway infos to Flow no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncAbortTrap" + root.out.event.category.name = "panSATDSatdFlowFullSyncAbortTrap" + root.out.event.message = "panSATDSatdFlowFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdFlowFullSyncAbortTrap - UNEXPECTED VARBINDS for panSATDSatdFlowFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1815 + # panSATDSatdFlowFullSyncDoneTrap + # + # SATD daemon sync all gateway infos to Flow exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncDoneTrap" + root.out.event.category.name = "panSATDSatdFlowFullSyncDoneTrap" + root.out.event.message = "panSATDSatdFlowFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdFlowFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdFlowFullSyncDoneTrap - UNEXPECTED VARBINDS for panSATDSatdFlowFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1816 + # panSATDSatdHaFullSyncStartTrap + # + # SATD daemon sync all gateway infos to HA peer started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncStartTrap" + root.out.event.category.name = "panSATDSatdHaFullSyncStartTrap" + root.out.event.message = "panSATDSatdHaFullSyncStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdHaFullSyncStartTrap - UNEXPECTED VARBINDS for panSATDSatdHaFullSyncStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1817 + # panSATDSatdHaFullSyncAbortTrap + # + # SATD daemon sync all gateway infos to HA peer no longer needed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncAbortTrap" + root.out.event.category.name = "panSATDSatdHaFullSyncAbortTrap" + root.out.event.message = "panSATDSatdHaFullSyncAbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncAbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncAbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdHaFullSyncAbortTrap - UNEXPECTED VARBINDS for panSATDSatdHaFullSyncAbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1818 + # panSATDSatdHaFullSyncDoneTrap + # + # SATD daemon sync all gateway infos to HA peer exit. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncDoneTrap" + root.out.event.category.name = "panSATDSatdHaFullSyncDoneTrap" + root.out.event.message = "panSATDSatdHaFullSyncDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdHaFullSyncDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdHaFullSyncDoneTrap - UNEXPECTED VARBINDS for panSATDSatdHaFullSyncDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1819 + # panSATDSatdIpAssignFailTrap + # + # GlobalProtect Satellite IP address assignment failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpAssignFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpAssignFailTrap" + root.out.event.category.name = "panSATDSatdIpAssignFailTrap" + root.out.event.message = "panSATDSatdIpAssignFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpAssignFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpAssignFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdIpAssignFailTrap - UNEXPECTED VARBINDS for panSATDSatdIpAssignFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1820 + # panSATDSatdIpResetFailTrap + # + # GlobalProtect Satellite IP address reset failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpResetFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpResetFailTrap" + root.out.event.category.name = "panSATDSatdIpResetFailTrap" + root.out.event.message = "panSATDSatdIpResetFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpResetFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdIpResetFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdIpResetFailTrap - UNEXPECTED VARBINDS for panSATDSatdIpResetFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1821 + # panSATDSatdTunMonDownTrap + # + # GlobalProtect Satellite Tunnel monitor down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonDownTrap" + root.out.event.category.name = "panSATDSatdTunMonDownTrap" + root.out.event.message = "panSATDSatdTunMonDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunMonDownTrap - UNEXPECTED VARBINDS for panSATDSatdTunMonDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1822 + # panSATDSatdTunMonUpTrap + # + # GlobalProtect Satellite Tunnel monitor up + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonUpTrap" + root.out.event.category.name = "panSATDSatdTunMonUpTrap" + root.out.event.message = "panSATDSatdTunMonUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunMonUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunMonUpTrap - UNEXPECTED VARBINDS for panSATDSatdTunMonUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1823 + # panSATDSatdTunSoftlifetimeExpiredTrap + # + # GlobalProtect Satellite Tunnel soft lifetime expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunSoftlifetimeExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunSoftlifetimeExpiredTrap" + root.out.event.category.name = "panSATDSatdTunSoftlifetimeExpiredTrap" + root.out.event.message = "panSATDSatdTunSoftlifetimeExpiredTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunSoftlifetimeExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunSoftlifetimeExpiredTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunSoftlifetimeExpiredTrap - UNEXPECTED VARBINDS for panSATDSatdTunSoftlifetimeExpiredTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1824 + # panSATDSatdTunHardlifetimeExpiredTrap + # + # GlobalProtect Satellite Tunnel hard lifetime expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunHardlifetimeExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunHardlifetimeExpiredTrap" + root.out.event.category.name = "panSATDSatdTunHardlifetimeExpiredTrap" + root.out.event.message = "panSATDSatdTunHardlifetimeExpiredTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunHardlifetimeExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunHardlifetimeExpiredTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunHardlifetimeExpiredTrap - UNEXPECTED VARBINDS for panSATDSatdTunHardlifetimeExpiredTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1825 + # panSATDSatdAccRouteUpdFailTrap + # + # GlobalProtect Satellite Access Routes update failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdAccRouteUpdFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdAccRouteUpdFailTrap" + root.out.event.category.name = "panSATDSatdAccRouteUpdFailTrap" + root.out.event.message = "panSATDSatdAccRouteUpdFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdAccRouteUpdFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdAccRouteUpdFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdAccRouteUpdFailTrap - UNEXPECTED VARBINDS for panSATDSatdAccRouteUpdFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1826 + # panSATDSatdNhUpdFailTrap + # + # GlobalProtect Satellite Next Hop update failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdNhUpdFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdNhUpdFailTrap" + root.out.event.category.name = "panSATDSatdNhUpdFailTrap" + root.out.event.message = "panSATDSatdNhUpdFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdNhUpdFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdNhUpdFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdNhUpdFailTrap - UNEXPECTED VARBINDS for panSATDSatdNhUpdFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1827 + # panSATDSatdTunDpInstallErrTrap + # + # Dataplane tunnel install error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDpInstallErrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDpInstallErrTrap" + root.out.event.category.name = "panSATDSatdTunDpInstallErrTrap" + root.out.event.message = "panSATDSatdTunDpInstallErrTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDpInstallErrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdTunDpInstallErrTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdTunDpInstallErrTrap - UNEXPECTED VARBINDS for panSATDSatdTunDpInstallErrTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1828 + # panSATDSatdGatewayConnectStartedTrap + # + # GlobalProtect satellite connection to gateway started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectStartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectStartedTrap" + root.out.event.category.name = "panSATDSatdGatewayConnectStartedTrap" + root.out.event.message = "panSATDSatdGatewayConnectStartedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectStartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectStartedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdGatewayConnectStartedTrap - UNEXPECTED VARBINDS for panSATDSatdGatewayConnectStartedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1829 + # panSATDSatdPortalConnectStartedTrap + # + # GlobalProtect satellite connection to portal started. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectStartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectStartedTrap" + root.out.event.category.name = "panSATDSatdPortalConnectStartedTrap" + root.out.event.message = "panSATDSatdPortalConnectStartedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectStartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectStartedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdPortalConnectStartedTrap - UNEXPECTED VARBINDS for panSATDSatdPortalConnectStartedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1830 + # panSATDSatdGatewayConnectFailedTrap + # + # GlobalProtect satellite connection to gateway failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectFailedTrap" + root.out.event.category.name = "panSATDSatdGatewayConnectFailedTrap" + root.out.event.message = "panSATDSatdGatewayConnectFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGatewayConnectFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdGatewayConnectFailedTrap - UNEXPECTED VARBINDS for panSATDSatdGatewayConnectFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1831 + # panSATDSatdPortalConnectFailedTrap + # + # GlobalProtect satellite connection to portal failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectFailedTrap" + root.out.event.category.name = "panSATDSatdPortalConnectFailedTrap" + root.out.event.message = "panSATDSatdPortalConnectFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdPortalConnectFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdPortalConnectFailedTrap - UNEXPECTED VARBINDS for panSATDSatdPortalConnectFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1832 + # panSATDSatdGenericEventTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGenericEventTrap" + root.out.event.category.name = "panSATDSatdGenericEventTrap" + root.out.event.message = "panSATDSatdGenericEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSATDSatdGenericEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSATDSatdGenericEventTrap - UNEXPECTED VARBINDS for panSATDSatdGenericEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1900 + # panSSLMGRSslmgrConfigP1SuccessTrap + # + # SSLMGR daemon configuration load phase-1 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1SuccessTrap" + root.out.event.category.name = "panSSLMGRSslmgrConfigP1SuccessTrap" + root.out.event.message = "panSSLMGRSslmgrConfigP1SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrConfigP1SuccessTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrConfigP1SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1901 + # panSSLMGRSslmgrConfigP1FailedTrap + # + # SSLMGR daemon configuration load phase-1 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1FailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrConfigP1FailedTrap" + root.out.event.message = "panSSLMGRSslmgrConfigP1FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrConfigP1FailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrConfigP1FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1902 + # panSSLMGRSslmgrConfigP1AbortTrap + # + # SSLMGR daemon configuration load phase-1 aborted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1AbortTrap" + root.out.event.category.name = "panSSLMGRSslmgrConfigP1AbortTrap" + root.out.event.message = "panSSLMGRSslmgrConfigP1AbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP1AbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrConfigP1AbortTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrConfigP1AbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1903 + # panSSLMGRSslmgrConfigP2SuccessTrap + # + # SSLMGR daemon configuration load phase-2 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2SuccessTrap" + root.out.event.category.name = "panSSLMGRSslmgrConfigP2SuccessTrap" + root.out.event.message = "panSSLMGRSslmgrConfigP2SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrConfigP2SuccessTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrConfigP2SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1904 + # panSSLMGRSslmgrConfigP2FailedTrap + # + # SSLMGR daemon configuration load phase-2 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2FailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrConfigP2FailedTrap" + root.out.event.message = "panSSLMGRSslmgrConfigP2FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrConfigP2FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrConfigP2FailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrConfigP2FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1905 + # panSSLMGRSslmgrDaemonStartTrap + # + # SSLMGR daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonStartTrap" + root.out.event.category.name = "panSSLMGRSslmgrDaemonStartTrap" + root.out.event.message = "panSSLMGRSslmgrDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrDaemonStartTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1906 + # panSSLMGRSslmgrDaemonExitTrap + # + # SSLMGR daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonExitTrap" + root.out.event.category.name = "panSSLMGRSslmgrDaemonExitTrap" + root.out.event.message = "panSSLMGRSslmgrDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrDaemonExitTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1907 + # panSSLMGRSslmgrCertGenSuccessTrap + # + # SSLMGR generate certificate succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenSuccessTrap" + root.out.event.category.name = "panSSLMGRSslmgrCertGenSuccessTrap" + root.out.event.message = "panSSLMGRSslmgrCertGenSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrCertGenSuccessTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrCertGenSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1908 + # panSSLMGRSslmgrCertGenFailedTrap + # + # SSLMGR generate certificate failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenFailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrCertGenFailedTrap" + root.out.event.message = "panSSLMGRSslmgrCertGenFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertGenFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrCertGenFailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrCertGenFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1909 + # panSSLMGRSslmgrCertStatusDeletedTrap + # + # SSLMGR certificate status deleted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusDeletedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusDeletedTrap" + root.out.event.category.name = "panSSLMGRSslmgrCertStatusDeletedTrap" + root.out.event.message = "panSSLMGRSslmgrCertStatusDeletedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusDeletedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusDeletedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrCertStatusDeletedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrCertStatusDeletedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1910 + # panSSLMGRSslmgrCertStatusRevokedTrap + # + # SSLMGR certificate status revoked. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusRevokedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusRevokedTrap" + root.out.event.category.name = "panSSLMGRSslmgrCertStatusRevokedTrap" + root.out.event.message = "panSSLMGRSslmgrCertStatusRevokedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusRevokedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertStatusRevokedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrCertStatusRevokedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrCertStatusRevokedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1911 + # panSSLMGRSslmgrSatelliteInfoInsertedTrap + # + # SSLMGR satellite info inserted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoInsertedTrap" + root.out.event.category.name = "panSSLMGRSslmgrSatelliteInfoInsertedTrap" + root.out.event.message = "panSSLMGRSslmgrSatelliteInfoInsertedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoInsertedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoInsertedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrSatelliteInfoInsertedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrSatelliteInfoInsertedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1912 + # panSSLMGRSslmgrSatelliteInfoUpdatedTrap + # + # SSLMGR satellite info updated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoUpdatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoUpdatedTrap" + root.out.event.category.name = "panSSLMGRSslmgrSatelliteInfoUpdatedTrap" + root.out.event.message = "panSSLMGRSslmgrSatelliteInfoUpdatedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoUpdatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoUpdatedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrSatelliteInfoUpdatedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrSatelliteInfoUpdatedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1913 + # panSSLMGRSslmgrSatelliteInfoDeletedTrap + # + # SSLMGR satellite info deleted + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoDeletedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoDeletedTrap" + root.out.event.category.name = "panSSLMGRSslmgrSatelliteInfoDeletedTrap" + root.out.event.message = "panSSLMGRSslmgrSatelliteInfoDeletedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoDeletedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrSatelliteInfoDeletedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrSatelliteInfoDeletedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrSatelliteInfoDeletedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1914 + # panSSLMGRSslmgrCertOcspVerifyFailedTrap + # + # SSLMGR certificate ocsp verification failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertOcspVerifyFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertOcspVerifyFailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrCertOcspVerifyFailedTrap" + root.out.event.message = "panSSLMGRSslmgrCertOcspVerifyFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertOcspVerifyFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertOcspVerifyFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrCertOcspVerifyFailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrCertOcspVerifyFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1915 + # panSSLMGRSslmgrCertCrlVerifyFailedTrap + # + # SSLMGR certificate crl verification failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertCrlVerifyFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertCrlVerifyFailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrCertCrlVerifyFailedTrap" + root.out.event.message = "panSSLMGRSslmgrCertCrlVerifyFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertCrlVerifyFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrCertCrlVerifyFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrCertCrlVerifyFailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrCertCrlVerifyFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1916 + # panSSLMGRSslmgrHaFullSyncTrap + # + # SSLMGR daemon sync to HA peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaFullSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaFullSyncTrap" + root.out.event.category.name = "panSSLMGRSslmgrHaFullSyncTrap" + root.out.event.message = "panSSLMGRSslmgrHaFullSyncTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaFullSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaFullSyncTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrHaFullSyncTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrHaFullSyncTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1917 + # panSSLMGRSslmgrHaNotFullSyncTrap + # + # SSLMGR daemon not sync to HA peer. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaNotFullSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaNotFullSyncTrap" + root.out.event.category.name = "panSSLMGRSslmgrHaNotFullSyncTrap" + root.out.event.message = "panSSLMGRSslmgrHaNotFullSyncTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaNotFullSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrHaNotFullSyncTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrHaNotFullSyncTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrHaNotFullSyncTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1918 + # panSSLMGRSslmgrGenericEventTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrGenericEventTrap" + root.out.event.category.name = "panSSLMGRSslmgrGenericEventTrap" + root.out.event.message = "panSSLMGRSslmgrGenericEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrGenericEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrGenericEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrGenericEventTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrGenericEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1919 + # panSSLMGRSslmgrScepCertSuccessTrap + # + # SSLMGR generate SCEP certificate succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertSuccessTrap" + root.out.event.category.name = "panSSLMGRSslmgrScepCertSuccessTrap" + root.out.event.message = "panSSLMGRSslmgrScepCertSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrScepCertSuccessTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrScepCertSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1920 + # panSSLMGRSslmgrScepCertFailedTrap + # + # SSLMGR generate SCEP certificate failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertFailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrScepCertFailedTrap" + root.out.event.message = "panSSLMGRSslmgrScepCertFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCertFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrScepCertFailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrScepCertFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1921 + # panSSLMGRSslmgrScepCaCertSuccessTrap + # + # SSLMGR import SCEP CA certificate succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertSuccessTrap" + root.out.event.category.name = "panSSLMGRSslmgrScepCaCertSuccessTrap" + root.out.event.message = "panSSLMGRSslmgrScepCaCertSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrScepCaCertSuccessTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrScepCaCertSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1922 + # panSSLMGRSslmgrScepCaCertFailedTrap + # + # SSLMGR import SCEP CA certificate failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertFailedTrap" + root.out.event.category.name = "panSSLMGRSslmgrScepCaCertFailedTrap" + root.out.event.message = "panSSLMGRSslmgrScepCaCertFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRSslmgrScepCaCertFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRSslmgrScepCaCertFailedTrap - UNEXPECTED VARBINDS for panSSLMGRSslmgrScepCaCertFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1923 + # panSSLMGRCaSessionEstablishmentSuccessTrap + # + # CA session establishment succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentSuccessTrap" + root.out.event.category.name = "panSSLMGRCaSessionEstablishmentSuccessTrap" + root.out.event.message = "panSSLMGRCaSessionEstablishmentSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRCaSessionEstablishmentSuccessTrap - UNEXPECTED VARBINDS for panSSLMGRCaSessionEstablishmentSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 1924 + # panSSLMGRCaSessionEstablishmentFailedTrap + # + # CA session establishment failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentFailedTrap" + root.out.event.category.name = "panSSLMGRCaSessionEstablishmentFailedTrap" + root.out.event.message = "panSSLMGRCaSessionEstablishmentFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSLMGRCaSessionEstablishmentFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSLMGRCaSessionEstablishmentFailedTrap - UNEXPECTED VARBINDS for panSSLMGRCaSessionEstablishmentFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2000 + # panURLNoUrlDatabaseTrap + # + # No URL database! + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLNoUrlDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLNoUrlDatabaseTrap" + root.out.event.category.name = "panURLNoUrlDatabaseTrap" + root.out.event.message = "panURLNoUrlDatabaseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLNoUrlDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLNoUrlDatabaseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLNoUrlDatabaseTrap - UNEXPECTED VARBINDS for panURLNoUrlDatabaseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2001 + # panURLInvalidLicenseTrap + # + # No URL filtering license or license expired! + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLInvalidLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLInvalidLicenseTrap" + root.out.event.category.name = "panURLInvalidLicenseTrap" + root.out.event.message = "panURLInvalidLicenseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLInvalidLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLInvalidLicenseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLInvalidLicenseTrap - UNEXPECTED VARBINDS for panURLInvalidLicenseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2002 + # panURLFailedToLockUpdateTrap + # + # Failed to lock database update process + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockUpdateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockUpdateTrap" + root.out.event.category.name = "panURLFailedToLockUpdateTrap" + root.out.event.message = "panURLFailedToLockUpdateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockUpdateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockUpdateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLFailedToLockUpdateTrap - UNEXPECTED VARBINDS for panURLFailedToLockUpdateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2003 + # panURLConnectionSuccessTrap + # + # connected to update server. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionSuccessTrap" + root.out.event.category.name = "panURLConnectionSuccessTrap" + root.out.event.message = "panURLConnectionSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLConnectionSuccessTrap - UNEXPECTED VARBINDS for panURLConnectionSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2004 + # panURLConnectionFailureTrap + # + # Failed to connect to update server. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionFailureTrap" + root.out.event.category.name = "panURLConnectionFailureTrap" + root.out.event.message = "panURLConnectionFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLConnectionFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLConnectionFailureTrap - UNEXPECTED VARBINDS for panURLConnectionFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2005 + # panURLServerIsDownTrap + # + # Update Server is down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLServerIsDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLServerIsDownTrap" + root.out.event.category.name = "panURLServerIsDownTrap" + root.out.event.message = "panURLServerIsDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLServerIsDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLServerIsDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLServerIsDownTrap - UNEXPECTED VARBINDS for panURLServerIsDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2006 + # panURLProxyConnectionFailureTrap + # + # Failed to connect to proxy server. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLProxyConnectionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLProxyConnectionFailureTrap" + root.out.event.category.name = "panURLProxyConnectionFailureTrap" + root.out.event.message = "panURLProxyConnectionFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLProxyConnectionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLProxyConnectionFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLProxyConnectionFailureTrap - UNEXPECTED VARBINDS for panURLProxyConnectionFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2007 + # panURLReceiveDataFailureTrap + # + # Failed to receive data from update server. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLReceiveDataFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLReceiveDataFailureTrap" + root.out.event.category.name = "panURLReceiveDataFailureTrap" + root.out.event.message = "panURLReceiveDataFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLReceiveDataFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLReceiveDataFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLReceiveDataFailureTrap - UNEXPECTED VARBINDS for panURLReceiveDataFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2008 + # panURLDynamicUrlConnectionDownTrap + # + # Dynamic URL connection is unavailable. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDynamicUrlConnectionDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDynamicUrlConnectionDownTrap" + root.out.event.category.name = "panURLDynamicUrlConnectionDownTrap" + root.out.event.message = "panURLDynamicUrlConnectionDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDynamicUrlConnectionDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDynamicUrlConnectionDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLDynamicUrlConnectionDownTrap - UNEXPECTED VARBINDS for panURLDynamicUrlConnectionDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2009 + # panURLDownloadingUrlDatabaseTrap + # + # Downloading URL database. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadingUrlDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadingUrlDatabaseTrap" + root.out.event.category.name = "panURLDownloadingUrlDatabaseTrap" + root.out.event.message = "panURLDownloadingUrlDatabaseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadingUrlDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadingUrlDatabaseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLDownloadingUrlDatabaseTrap - UNEXPECTED VARBINDS for panURLDownloadingUrlDatabaseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2010 + # panURLDownloadUrlDatabaseSuccessTrap + # + # Database was downloaded successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadUrlDatabaseSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadUrlDatabaseSuccessTrap" + root.out.event.category.name = "panURLDownloadUrlDatabaseSuccessTrap" + root.out.event.message = "panURLDownloadUrlDatabaseSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadUrlDatabaseSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadUrlDatabaseSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLDownloadUrlDatabaseSuccessTrap - UNEXPECTED VARBINDS for panURLDownloadUrlDatabaseSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2011 + # panURLUpgradeUrlDatabaseSuccessTrap + # + # Database was upgraded successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpgradeUrlDatabaseSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpgradeUrlDatabaseSuccessTrap" + root.out.event.category.name = "panURLUpgradeUrlDatabaseSuccessTrap" + root.out.event.message = "panURLUpgradeUrlDatabaseSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpgradeUrlDatabaseSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpgradeUrlDatabaseSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUpgradeUrlDatabaseSuccessTrap - UNEXPECTED VARBINDS for panURLUpgradeUrlDatabaseSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2012 + # panURLRevertUrlDatabaseSuccessTrap + # + # Database was reverted successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRevertUrlDatabaseSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRevertUrlDatabaseSuccessTrap" + root.out.event.category.name = "panURLRevertUrlDatabaseSuccessTrap" + root.out.event.message = "panURLRevertUrlDatabaseSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRevertUrlDatabaseSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRevertUrlDatabaseSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLRevertUrlDatabaseSuccessTrap - UNEXPECTED VARBINDS for panURLRevertUrlDatabaseSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2013 + # panURLUrlDatabaseIsLatestTrap + # + # Database is latest. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDatabaseIsLatestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDatabaseIsLatestTrap" + root.out.event.category.name = "panURLUrlDatabaseIsLatestTrap" + root.out.event.message = "panURLUrlDatabaseIsLatestTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDatabaseIsLatestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDatabaseIsLatestTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlDatabaseIsLatestTrap - UNEXPECTED VARBINDS for panURLUrlDatabaseIsLatestTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2014 + # panURLUrlDownloadFailureTrap + # + # Failed to download a file from the cloud. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDownloadFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDownloadFailureTrap" + root.out.event.category.name = "panURLUrlDownloadFailureTrap" + root.out.event.message = "panURLUrlDownloadFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDownloadFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlDownloadFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlDownloadFailureTrap - UNEXPECTED VARBINDS for panURLUrlDownloadFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2015 + # panURLUrlCloudConnectionFailureTrap + # + # Failed to connect the cloud. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionFailureTrap" + root.out.event.category.name = "panURLUrlCloudConnectionFailureTrap" + root.out.event.message = "panURLUrlCloudConnectionFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlCloudConnectionFailureTrap - UNEXPECTED VARBINDS for panURLUrlCloudConnectionFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2016 + # panURLUrlCloudConnectionSuccessTrap + # + # Connects to the cloud successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionSuccessTrap" + root.out.event.category.name = "panURLUrlCloudConnectionSuccessTrap" + root.out.event.message = "panURLUrlCloudConnectionSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlCloudConnectionSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlCloudConnectionSuccessTrap - UNEXPECTED VARBINDS for panURLUrlCloudConnectionSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2017 + # panURLUrlBackupSeedSuccessTrap + # + # Backups the URL seed successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedSuccessTrap" + root.out.event.category.name = "panURLUrlBackupSeedSuccessTrap" + root.out.event.message = "panURLUrlBackupSeedSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlBackupSeedSuccessTrap - UNEXPECTED VARBINDS for panURLUrlBackupSeedSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2018 + # panURLUrlBackupSeedFailureTrap + # + # Failed to backup the URL seed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedFailureTrap" + root.out.event.category.name = "panURLUrlBackupSeedFailureTrap" + root.out.event.message = "panURLUrlBackupSeedFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlBackupSeedFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlBackupSeedFailureTrap - UNEXPECTED VARBINDS for panURLUrlBackupSeedFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2019 + # panURLCloudElectionTrap + # + # In cloud election process. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudElectionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudElectionTrap" + root.out.event.category.name = "panURLCloudElectionTrap" + root.out.event.message = "panURLCloudElectionTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudElectionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudElectionTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLCloudElectionTrap - UNEXPECTED VARBINDS for panURLCloudElectionTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2020 + # panURLCloudProcessStartsTrap + # + # Cloud process starts. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStartsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStartsTrap" + root.out.event.category.name = "panURLCloudProcessStartsTrap" + root.out.event.message = "panURLCloudProcessStartsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStartsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStartsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLCloudProcessStartsTrap - UNEXPECTED VARBINDS for panURLCloudProcessStartsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2021 + # panURLCloudProcessStoppedTrap + # + # Stopped the cloud process. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStoppedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStoppedTrap" + root.out.event.category.name = "panURLCloudProcessStoppedTrap" + root.out.event.message = "panURLCloudProcessStoppedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStoppedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLCloudProcessStoppedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLCloudProcessStoppedTrap - UNEXPECTED VARBINDS for panURLCloudProcessStoppedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2022 + # panURLUpdateVersionFailureTrap + # + # Failed to update to the new seed version. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpdateVersionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpdateVersionFailureTrap" + root.out.event.category.name = "panURLUpdateVersionFailureTrap" + root.out.event.message = "panURLUpdateVersionFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpdateVersionFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUpdateVersionFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUpdateVersionFailureTrap - UNEXPECTED VARBINDS for panURLUpdateVersionFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2023 + # panURLErrorMsgFromCloudTrap + # + # Got an error message from the cloud. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLErrorMsgFromCloudTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLErrorMsgFromCloudTrap" + root.out.event.category.name = "panURLErrorMsgFromCloudTrap" + root.out.event.message = "panURLErrorMsgFromCloudTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLErrorMsgFromCloudTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLErrorMsgFromCloudTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLErrorMsgFromCloudTrap - UNEXPECTED VARBINDS for panURLErrorMsgFromCloudTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2024 + # panURLTestASiteTrap + # + # Test-A-Site result. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLTestASiteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLTestASiteTrap" + root.out.event.category.name = "panURLTestASiteTrap" + root.out.event.message = "panURLTestASiteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLTestASiteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLTestASiteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLTestASiteTrap - UNEXPECTED VARBINDS for panURLTestASiteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2025 + # panURLUrlEngineStoppedTrap + # + # Stopped URL engine. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStoppedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStoppedTrap" + root.out.event.category.name = "panURLUrlEngineStoppedTrap" + root.out.event.message = "panURLUrlEngineStoppedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStoppedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStoppedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlEngineStoppedTrap - UNEXPECTED VARBINDS for panURLUrlEngineStoppedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2026 + # panURLUrlEngineStartsTrap + # + # URL engine starts. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStartsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStartsTrap" + root.out.event.category.name = "panURLUrlEngineStartsTrap" + root.out.event.message = "panURLUrlEngineStartsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStartsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLUrlEngineStartsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLUrlEngineStartsTrap - UNEXPECTED VARBINDS for panURLUrlEngineStartsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2027 + # panURLStartupFailureTrap + # + # URL engine failed to start. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartupFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartupFailureTrap" + root.out.event.category.name = "panURLStartupFailureTrap" + root.out.event.message = "panURLStartupFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartupFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartupFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLStartupFailureTrap - UNEXPECTED VARBINDS for panURLStartupFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2028 + # panURLHaSyncFailureTrap + # + # Failed to process HA sync. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncFailureTrap" + root.out.event.category.name = "panURLHaSyncFailureTrap" + root.out.event.message = "panURLHaSyncFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLHaSyncFailureTrap - UNEXPECTED VARBINDS for panURLHaSyncFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2029 + # panURLHaSyncSuccessTrap + # + # HA sync processed successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncSuccessTrap" + root.out.event.category.name = "panURLHaSyncSuccessTrap" + root.out.event.message = "panURLHaSyncSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLHaSyncSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLHaSyncSuccessTrap - UNEXPECTED VARBINDS for panURLHaSyncSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2030 + # panURLSaveMpCacheToDiscFailureTrap + # + # Failed to save MP cache to disc. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscFailureTrap" + root.out.event.category.name = "panURLSaveMpCacheToDiscFailureTrap" + root.out.event.message = "panURLSaveMpCacheToDiscFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLSaveMpCacheToDiscFailureTrap - UNEXPECTED VARBINDS for panURLSaveMpCacheToDiscFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2031 + # panURLSaveMpCacheToDiscSuccessTrap + # + # Saved MP cache to disc successfully. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscSuccessTrap" + root.out.event.category.name = "panURLSaveMpCacheToDiscSuccessTrap" + root.out.event.message = "panURLSaveMpCacheToDiscSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSaveMpCacheToDiscSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLSaveMpCacheToDiscSuccessTrap - UNEXPECTED VARBINDS for panURLSaveMpCacheToDiscSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2032 + # panURLRfsProcessStartsTrap + # + # RFS process starts. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStartsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStartsTrap" + root.out.event.category.name = "panURLRfsProcessStartsTrap" + root.out.event.message = "panURLRfsProcessStartsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStartsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStartsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLRfsProcessStartsTrap - UNEXPECTED VARBINDS for panURLRfsProcessStartsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2033 + # panURLRfsProcessStoppedTrap + # + # RFS process was stopped. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStoppedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStoppedTrap" + root.out.event.category.name = "panURLRfsProcessStoppedTrap" + root.out.event.message = "panURLRfsProcessStoppedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStoppedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessStoppedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLRfsProcessStoppedTrap - UNEXPECTED VARBINDS for panURLRfsProcessStoppedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2034 + # panURLRfsProcessFailureTrap + # + # RFS process failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessFailureTrap" + root.out.event.category.name = "panURLRfsProcessFailureTrap" + root.out.event.message = "panURLRfsProcessFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRfsProcessFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLRfsProcessFailureTrap - UNEXPECTED VARBINDS for panURLRfsProcessFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2035 + # panURLRequestToCloudFailureTrap + # + # Request to cloud failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRequestToCloudFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRequestToCloudFailureTrap" + root.out.event.category.name = "panURLRequestToCloudFailureTrap" + root.out.event.message = "panURLRequestToCloudFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRequestToCloudFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLRequestToCloudFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLRequestToCloudFailureTrap - UNEXPECTED VARBINDS for panURLRequestToCloudFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2036 + # panURLStartsFromEmptySeedTrap + # + # Starts from empty seed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromEmptySeedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromEmptySeedTrap" + root.out.event.category.name = "panURLStartsFromEmptySeedTrap" + root.out.event.message = "panURLStartsFromEmptySeedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromEmptySeedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromEmptySeedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLStartsFromEmptySeedTrap - UNEXPECTED VARBINDS for panURLStartsFromEmptySeedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2037 + # panURLLoadSuccessTrap + # + # Load the URL seed successfully to MP TRIE. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLLoadSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLLoadSuccessTrap" + root.out.event.category.name = "panURLLoadSuccessTrap" + root.out.event.message = "panURLLoadSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLLoadSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLLoadSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLLoadSuccessTrap - UNEXPECTED VARBINDS for panURLLoadSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2038 + # panURLFailedToLockDownloadTrap + # + # Failed to lock download file since is used by another process + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockDownloadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockDownloadTrap" + root.out.event.category.name = "panURLFailedToLockDownloadTrap" + root.out.event.message = "panURLFailedToLockDownloadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockDownloadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLFailedToLockDownloadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLFailedToLockDownloadTrap - UNEXPECTED VARBINDS for panURLFailedToLockDownloadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2039 + # panURLEngineStartupFailureTrap + # + # Failed to start the URL engine. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLEngineStartupFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLEngineStartupFailureTrap" + root.out.event.category.name = "panURLEngineStartupFailureTrap" + root.out.event.message = "panURLEngineStartupFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLEngineStartupFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLEngineStartupFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLEngineStartupFailureTrap - UNEXPECTED VARBINDS for panURLEngineStartupFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2040 + # panURLSeedOutOfSyncTrap + # + # Seed is out of sync. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSeedOutOfSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSeedOutOfSyncTrap" + root.out.event.category.name = "panURLSeedOutOfSyncTrap" + root.out.event.message = "panURLSeedOutOfSyncTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSeedOutOfSyncTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLSeedOutOfSyncTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLSeedOutOfSyncTrap - UNEXPECTED VARBINDS for panURLSeedOutOfSyncTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2041 + # panURLStartsFromBackupSeedTrap + # + # Starts from backed up seed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromBackupSeedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromBackupSeedTrap" + root.out.event.category.name = "panURLStartsFromBackupSeedTrap" + root.out.event.message = "panURLStartsFromBackupSeedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromBackupSeedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromBackupSeedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLStartsFromBackupSeedTrap - UNEXPECTED VARBINDS for panURLStartsFromBackupSeedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2042 + # panURLStartsFromDownloadSeedTrap + # + # Starts from download seed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromDownloadSeedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromDownloadSeedTrap" + root.out.event.category.name = "panURLStartsFromDownloadSeedTrap" + root.out.event.message = "panURLStartsFromDownloadSeedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromDownloadSeedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLStartsFromDownloadSeedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLStartsFromDownloadSeedTrap - UNEXPECTED VARBINDS for panURLStartsFromDownloadSeedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2043 + # panURLBackupSeedErrorTrap + # + # Backup seed error. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLBackupSeedErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLBackupSeedErrorTrap" + root.out.event.category.name = "panURLBackupSeedErrorTrap" + root.out.event.message = "panURLBackupSeedErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLBackupSeedErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLBackupSeedErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLBackupSeedErrorTrap - UNEXPECTED VARBINDS for panURLBackupSeedErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2044 + # panURLDownloadSeedErrorTrap + # + # Download seed error. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadSeedErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadSeedErrorTrap" + root.out.event.category.name = "panURLDownloadSeedErrorTrap" + root.out.event.message = "panURLDownloadSeedErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadSeedErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panURLDownloadSeedErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panURLDownloadSeedErrorTrap - UNEXPECTED VARBINDS for panURLDownloadSeedErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2300 + # panUSERIDConnectAgentTrap + # + # connect to agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentTrap" + root.out.event.category.name = "panUSERIDConnectAgentTrap" + root.out.event.message = "panUSERIDConnectAgentTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectAgentTrap - UNEXPECTED VARBINDS for panUSERIDConnectAgentTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2301 + # panUSERIDDisconnectAgentTrap + # + # disconnect from agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectAgentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectAgentTrap" + root.out.event.category.name = "panUSERIDDisconnectAgentTrap" + root.out.event.message = "panUSERIDDisconnectAgentTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectAgentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectAgentTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDisconnectAgentTrap - UNEXPECTED VARBINDS for panUSERIDDisconnectAgentTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2302 + # panUSERIDAgentEventTrap + # + # events from agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentEventTrap" + root.out.event.category.name = "panUSERIDAgentEventTrap" + root.out.event.message = "panUSERIDAgentEventTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentEventTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentEventTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentEventTrap - UNEXPECTED VARBINDS for panUSERIDAgentEventTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2303 + # panUSERIDConnectAgentFailureTrap + # + # failed to connect to agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentFailureTrap" + root.out.event.category.name = "panUSERIDConnectAgentFailureTrap" + root.out.event.message = "panUSERIDConnectAgentFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectAgentFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectAgentFailureTrap - UNEXPECTED VARBINDS for panUSERIDConnectAgentFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2304 + # panUSERIDAgentVersionMismatchTrap + # + # device version is not supported on agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentVersionMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentVersionMismatchTrap" + root.out.event.category.name = "panUSERIDAgentVersionMismatchTrap" + root.out.event.message = "panUSERIDAgentVersionMismatchTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentVersionMismatchTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentVersionMismatchTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentVersionMismatchTrap - UNEXPECTED VARBINDS for panUSERIDAgentVersionMismatchTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2305 + # panUSERIDAgentStatusFailureTrap + # + # failed to get status from agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentStatusFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentStatusFailureTrap" + root.out.event.category.name = "panUSERIDAgentStatusFailureTrap" + root.out.event.message = "panUSERIDAgentStatusFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentStatusFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentStatusFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentStatusFailureTrap - UNEXPECTED VARBINDS for panUSERIDAgentStatusFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2306 + # panUSERIDAgentReadLogErrorTrap + # + # Agent failed to read logs + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentReadLogErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentReadLogErrorTrap" + root.out.event.category.name = "panUSERIDAgentReadLogErrorTrap" + root.out.event.message = "panUSERIDAgentReadLogErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentReadLogErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentReadLogErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentReadLogErrorTrap - UNEXPECTED VARBINDS for panUSERIDAgentReadLogErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2307 + # panUSERIDAgentGetDomainErrorTrap + # + # Agent failed to get domains + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetDomainErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetDomainErrorTrap" + root.out.event.category.name = "panUSERIDAgentGetDomainErrorTrap" + root.out.event.message = "panUSERIDAgentGetDomainErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetDomainErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetDomainErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentGetDomainErrorTrap - UNEXPECTED VARBINDS for panUSERIDAgentGetDomainErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2308 + # panUSERIDAgentGetUsersErrorTrap + # + # Agent failed to get users + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetUsersErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetUsersErrorTrap" + root.out.event.category.name = "panUSERIDAgentGetUsersErrorTrap" + root.out.event.message = "panUSERIDAgentGetUsersErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetUsersErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetUsersErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentGetUsersErrorTrap - UNEXPECTED VARBINDS for panUSERIDAgentGetUsersErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2309 + # panUSERIDAgentGetGroupsErrorTrap + # + # Agent failed to get groups + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetGroupsErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetGroupsErrorTrap" + root.out.event.category.name = "panUSERIDAgentGetGroupsErrorTrap" + root.out.event.message = "panUSERIDAgentGetGroupsErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetGroupsErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetGroupsErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentGetGroupsErrorTrap - UNEXPECTED VARBINDS for panUSERIDAgentGetGroupsErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2310 + # panUSERIDAgentGetConfigErrorTrap + # + # Agent failed to get config + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetConfigErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetConfigErrorTrap" + root.out.event.category.name = "panUSERIDAgentGetConfigErrorTrap" + root.out.event.message = "panUSERIDAgentGetConfigErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetConfigErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentGetConfigErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentGetConfigErrorTrap - UNEXPECTED VARBINDS for panUSERIDAgentGetConfigErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2311 + # panUSERIDAgentNoDomainTrap + # + # Agent has no domains + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoDomainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoDomainTrap" + root.out.event.category.name = "panUSERIDAgentNoDomainTrap" + root.out.event.message = "panUSERIDAgentNoDomainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoDomainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoDomainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentNoDomainTrap - UNEXPECTED VARBINDS for panUSERIDAgentNoDomainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2312 + # panUSERIDAgentNoAllowlistTrap + # + # Agent has no allow list + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoAllowlistTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoAllowlistTrap" + root.out.event.category.name = "panUSERIDAgentNoAllowlistTrap" + root.out.event.message = "panUSERIDAgentNoAllowlistTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoAllowlistTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDAgentNoAllowlistTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDAgentNoAllowlistTrap - UNEXPECTED VARBINDS for panUSERIDAgentNoAllowlistTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2313 + # panUSERIDConnectLdapSeverTrap + # + # connect to ldap server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverTrap" + root.out.event.category.name = "panUSERIDConnectLdapSeverTrap" + root.out.event.message = "panUSERIDConnectLdapSeverTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectLdapSeverTrap - UNEXPECTED VARBINDS for panUSERIDConnectLdapSeverTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2314 + # panUSERIDConnectLdapSeverFailureTrap + # + # failed to connect to ldap server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverFailureTrap" + root.out.event.category.name = "panUSERIDConnectLdapSeverFailureTrap" + root.out.event.message = "panUSERIDConnectLdapSeverFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectLdapSeverFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectLdapSeverFailureTrap - UNEXPECTED VARBINDS for panUSERIDConnectLdapSeverFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2315 + # panUSERIDGetLdapDataFailureTrap + # + # failed to get data from ldap server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGetLdapDataFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGetLdapDataFailureTrap" + root.out.event.category.name = "panUSERIDGetLdapDataFailureTrap" + root.out.event.message = "panUSERIDGetLdapDataFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGetLdapDataFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGetLdapDataFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDGetLdapDataFailureTrap - UNEXPECTED VARBINDS for panUSERIDGetLdapDataFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2316 + # panUSERIDHAQueueFullTrap + # + # HA queue is full + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHAQueueFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHAQueueFullTrap" + root.out.event.category.name = "panUSERIDHAQueueFullTrap" + root.out.event.message = "panUSERIDHAQueueFullTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHAQueueFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHAQueueFullTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDHAQueueFullTrap - UNEXPECTED VARBINDS for panUSERIDHAQueueFullTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2317 + # panUSERIDConnectClientTrap + # + # client is connected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectClientTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectClientTrap" + root.out.event.category.name = "panUSERIDConnectClientTrap" + root.out.event.message = "panUSERIDConnectClientTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectClientTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectClientTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectClientTrap - UNEXPECTED VARBINDS for panUSERIDConnectClientTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2318 + # panUSERIDDisconnectClientTrap + # + # client is disconnected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectClientTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectClientTrap" + root.out.event.category.name = "panUSERIDDisconnectClientTrap" + root.out.event.message = "panUSERIDDisconnectClientTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectClientTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectClientTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDisconnectClientTrap - UNEXPECTED VARBINDS for panUSERIDDisconnectClientTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2319 + # panUSERIDConnectServerMonitorTrap + # + # connect to server monitor + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorTrap" + root.out.event.category.name = "panUSERIDConnectServerMonitorTrap" + root.out.event.message = "panUSERIDConnectServerMonitorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectServerMonitorTrap - UNEXPECTED VARBINDS for panUSERIDConnectServerMonitorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2320 + # panUSERIDConnectServerMonitorFailureTrap + # + # failed to connect to server monitor + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorFailureTrap" + root.out.event.category.name = "panUSERIDConnectServerMonitorFailureTrap" + root.out.event.message = "panUSERIDConnectServerMonitorFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectServerMonitorFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectServerMonitorFailureTrap - UNEXPECTED VARBINDS for panUSERIDConnectServerMonitorFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2321 + # panUSERIDConnectVmInfoSourceTrap + # + # vm-info-source is connected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceTrap" + root.out.event.category.name = "panUSERIDConnectVmInfoSourceTrap" + root.out.event.message = "panUSERIDConnectVmInfoSourceTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectVmInfoSourceTrap - UNEXPECTED VARBINDS for panUSERIDConnectVmInfoSourceTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2322 + # panUSERIDDisconnectVmInfoSourceTrap + # + # vm-info-source is disconnected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectVmInfoSourceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectVmInfoSourceTrap" + root.out.event.category.name = "panUSERIDDisconnectVmInfoSourceTrap" + root.out.event.message = "panUSERIDDisconnectVmInfoSourceTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectVmInfoSourceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectVmInfoSourceTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDisconnectVmInfoSourceTrap - UNEXPECTED VARBINDS for panUSERIDDisconnectVmInfoSourceTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2323 + # panUSERIDConnectVmInfoSourceFailureTrap + # + # failed to connect to vm-info-source + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceFailureTrap" + root.out.event.category.name = "panUSERIDConnectVmInfoSourceFailureTrap" + root.out.event.message = "panUSERIDConnectVmInfoSourceFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectVmInfoSourceFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectVmInfoSourceFailureTrap - UNEXPECTED VARBINDS for panUSERIDConnectVmInfoSourceFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2324 + # panUSERIDRegisteredIpUpdateFailureTrap + # + # failed to integrate the update of registered ip addresses + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDRegisteredIpUpdateFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDRegisteredIpUpdateFailureTrap" + root.out.event.category.name = "panUSERIDRegisteredIpUpdateFailureTrap" + root.out.event.message = "panUSERIDRegisteredIpUpdateFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDRegisteredIpUpdateFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDRegisteredIpUpdateFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDRegisteredIpUpdateFailureTrap - UNEXPECTED VARBINDS for panUSERIDRegisteredIpUpdateFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2325 + # panUSERIDConnectSyslogTrap + # + # connect to syslog server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectSyslogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectSyslogTrap" + root.out.event.category.name = "panUSERIDConnectSyslogTrap" + root.out.event.message = "panUSERIDConnectSyslogTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectSyslogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDConnectSyslogTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDConnectSyslogTrap - UNEXPECTED VARBINDS for panUSERIDConnectSyslogTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2326 + # panUSERIDDisconnectSyslogTrap + # + # disconnect from syslog server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectSyslogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectSyslogTrap" + root.out.event.category.name = "panUSERIDDisconnectSyslogTrap" + root.out.event.message = "panUSERIDDisconnectSyslogTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectSyslogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDisconnectSyslogTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDisconnectSyslogTrap - UNEXPECTED VARBINDS for panUSERIDDisconnectSyslogTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2327 + # panUSERIDUserGroupCountTrap + # + # user group count exceeds threshold + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserGroupCountTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserGroupCountTrap" + root.out.event.category.name = "panUSERIDUserGroupCountTrap" + root.out.event.message = "panUSERIDUserGroupCountTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserGroupCountTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserGroupCountTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDUserGroupCountTrap - UNEXPECTED VARBINDS for panUSERIDUserGroupCountTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2328 + # panUSERIDUserCountTrap + # + # number of users exceeds threshold + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserCountTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserCountTrap" + root.out.event.category.name = "panUSERIDUserCountTrap" + root.out.event.message = "panUSERIDUserCountTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserCountTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDUserCountTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDUserCountTrap - UNEXPECTED VARBINDS for panUSERIDUserCountTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2329 + # panUSERIDGlobalprotectgatewayInvalidLicenseTrap + # + # globalprotect gateway license is invalid + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGlobalprotectgatewayInvalidLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGlobalprotectgatewayInvalidLicenseTrap" + root.out.event.category.name = "panUSERIDGlobalprotectgatewayInvalidLicenseTrap" + root.out.event.message = "panUSERIDGlobalprotectgatewayInvalidLicenseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGlobalprotectgatewayInvalidLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGlobalprotectgatewayInvalidLicenseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDGlobalprotectgatewayInvalidLicenseTrap - UNEXPECTED VARBINDS for panUSERIDGlobalprotectgatewayInvalidLicenseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2330 + # panUSERIDCuidStatusTrap + # + # Cloud UserID enable/disable status changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidStatusTrap" + root.out.event.category.name = "panUSERIDCuidStatusTrap" + root.out.event.message = "panUSERIDCuidStatusTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidStatusTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDCuidStatusTrap - UNEXPECTED VARBINDS for SPEpanUSERIDCuidStatusTrapIFIC trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2331 + # panUSERIDCuidConfigTrap + # + # Cloud UserID data type role changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConfigTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConfigTrap" + root.out.event.category.name = "panUSERIDCuidConfigTrap" + root.out.event.message = "panUSERIDCuidConfigTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConfigTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConfigTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDCuidConfigTrap - UNEXPECTED VARBINDS for panUSERIDCuidConfigTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2332 + # panUSERIDCuidConnTrap + # + # Cloud UserID connect/disconnect + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConnTrap" + root.out.event.category.name = "panUSERIDCuidConnTrap" + root.out.event.message = "panUSERIDCuidConnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDCuidConnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDCuidConnTrap - UNEXPECTED VARBINDS for panUSERIDCuidConnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2333 + # panUSERIDDscDaemonStartTrap + # + # Directory Sync Client daemon is ready + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDaemonStartTrap" + root.out.event.category.name = "panUSERIDDscDaemonStartTrap" + root.out.event.message = "panUSERIDDscDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDscDaemonStartTrap - UNEXPECTED VARBINDS for panUSERIDDscDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2334 + # panUSERIDDscHaStatusTrap + # + # Directory Sync Client HA status changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscHaStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscHaStatusTrap" + root.out.event.category.name = "panUSERIDDscHaStatusTrap" + root.out.event.message = "panUSERIDDscHaStatusTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscHaStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscHaStatusTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDscHaStatusTrap - UNEXPECTED VARBINDS for panUSERIDDscHaStatusTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2335 + # panUSERIDDscDatabaseTrap + # + # Directory Sync client database connection success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDatabaseTrap" + root.out.event.category.name = "panUSERIDDscDatabaseTrap" + root.out.event.message = "panUSERIDDscDatabaseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDscDatabaseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDscDatabaseTrap - UNEXPECTED VARBINDS for panUSERIDDscDatabaseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2336 + # panUSERIDDssConnSuccessTrap + # + # Directory Sync Service connection Success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnSuccessTrap" + root.out.event.category.name = "panUSERIDDssConnSuccessTrap" + root.out.event.message = "panUSERIDDssConnSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDssConnSuccessTrap - UNEXPECTED VARBINDS for panUSERIDDssConnSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2337 + # panUSERIDDssConnFailedTrap + # + # Directory Sync Service connection Failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnFailedTrap" + root.out.event.category.name = "panUSERIDDssConnFailedTrap" + root.out.event.message = "panUSERIDDssConnFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssConnFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDssConnFailedTrap - UNEXPECTED VARBINDS for panUSERIDDssConnFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2338 + # panUSERIDDssCfgDataTrap + # + # Directory Sync Service config data Failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssCfgDataTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssCfgDataTrap" + root.out.event.category.name = "panUSERIDDssCfgDataTrap" + root.out.event.message = "panUSERIDDssCfgDataTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssCfgDataTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDDssCfgDataTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDDssCfgDataTrap - UNEXPECTED VARBINDS for panUSERIDDssCfgDataTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2339 + # panUSERIDGeneralTrap + # + # General + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGeneralTrap" + root.out.event.category.name = "panUSERIDGeneralTrap" + root.out.event.message = "panUSERIDGeneralTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDGeneralTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDGeneralTrap - UNEXPECTED VARBINDS for panUSERIDGeneralTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2340 + # panUSERIDHaIdmgrMergeHasConflictTrap + # + # HA Idmgr mrege has conflict + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaIdmgrMergeHasConflictTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaIdmgrMergeHasConflictTrap" + root.out.event.category.name = "panUSERIDHaIdmgrMergeHasConflictTrap" + root.out.event.message = "panUSERIDHaIdmgrMergeHasConflictTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaIdmgrMergeHasConflictTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaIdmgrMergeHasConflictTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDHaIdmgrMergeHasConflictTrap - UNEXPECTED VARBINDS for panUSERIDHaIdmgrMergeHasConflictTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2341 + # panUSERIDHaReloadGroupsDiskDoneTrap + # + # Reload groups files from disk is done + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaReloadGroupsDiskDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaReloadGroupsDiskDoneTrap" + root.out.event.category.name = "panUSERIDHaReloadGroupsDiskDoneTrap" + root.out.event.message = "panUSERIDHaReloadGroupsDiskDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaReloadGroupsDiskDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUSERIDHaReloadGroupsDiskDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUSERIDHaReloadGroupsDiskDoneTrap - UNEXPECTED VARBINDS for panUSERIDHaReloadGroupsDiskDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2400 + # panNATFallbackReportTrap + # + # Fallback Report + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFallbackReportTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFallbackReportTrap" + root.out.event.category.name = "panNATFallbackReportTrap" + root.out.event.message = "panNATFallbackReportTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFallbackReportTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFallbackReportTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNATFallbackReportTrap - UNEXPECTED VARBINDS for panNATFallbackReportTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2401 + # panNATFqdnAddTrap + # + # Add FQDN IP entry + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnAddTrap" + root.out.event.category.name = "panNATFqdnAddTrap" + root.out.event.message = "panNATFqdnAddTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnAddTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnAddTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNATFqdnAddTrap - UNEXPECTED VARBINDS for panNATFqdnAddTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2402 + # panNATFqdnDelTrap + # + # Delete FQDN IP entry + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnDelTrap" + root.out.event.category.name = "panNATFqdnDelTrap" + root.out.event.message = "panNATFqdnDelTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnDelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATFqdnDelTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNATFqdnDelTrap - UNEXPECTED VARBINDS for panNATFqdnDelTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2403 + # panNATPersistentDippTrap + # + # Persistent DIPP + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATPersistentDippTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATPersistentDippTrap" + root.out.event.category.name = "panNATPersistentDippTrap" + root.out.event.message = "panNATPersistentDippTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panNATPersistentDippTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-SPpanNATPersistentDippTrapCIFIC-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panNATPersistentDippTrap - UNEXPECTED VARBINDS for panNATPersistentDippTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2500 + # panSYSLOGNGSyslogConnStatusTrap + # + # connection status with syslog server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSYSLOGNGSyslogConnStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSYSLOGNGSyslogConnStatusTrap" + root.out.event.category.name = "panSYSLOGNGSyslogConnStatusTrap" + root.out.event.message = "panSYSLOGNGSyslogConnStatusTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSYSLOGNGSyslogConnStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSYSLOGNGSyslogConnStatusTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSYSLOGNGSyslogConnStatusTrap - UNEXPECTED VARBINDS for panSYSLOGNGSyslogConnStatusTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2600 + # panLACPLostConnectivityTrap + # + # Peer lost connectivity + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLostConnectivityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLostConnectivityTrap" + root.out.event.category.name = "panLACPLostConnectivityTrap" + root.out.event.message = "panLACPLostConnectivityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLostConnectivityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLostConnectivityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPLostConnectivityTrap - UNEXPECTED VARBINDS for panLACPLostConnectivityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2601 + # panLACPUnresponsiveTrap + # + # Peer not responding + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPUnresponsiveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPUnresponsiveTrap" + root.out.event.category.name = "panLACPUnresponsiveTrap" + root.out.event.message = "panLACPUnresponsiveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPUnresponsiveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPUnresponsiveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPUnresponsiveTrap - UNEXPECTED VARBINDS for panLACPUnresponsiveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2602 + # panLACPNegoFailTrap + # + # Negotiation failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPNegoFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPNegoFailTrap" + root.out.event.category.name = "panLACPNegoFailTrap" + root.out.event.message = "panLACPNegoFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPNegoFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPNegoFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPNegoFailTrap - UNEXPECTED VARBINDS for panLACPNegoFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2603 + # panLACPSpeedDuplexTrap + # + # Speed duplex mismatch + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPSpeedDuplexTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPSpeedDuplexTrap" + root.out.event.category.name = "panLACPSpeedDuplexTrap" + root.out.event.message = "panLACPSpeedDuplexTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPSpeedDuplexTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPSpeedDuplexTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPSpeedDuplexTrap - UNEXPECTED VARBINDS for panLACPSpeedDuplexTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2604 + # panLACPLinkDownTrap + # + # link down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLinkDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLinkDownTrap" + root.out.event.category.name = "panLACPLinkDownTrap" + root.out.event.message = "panLACPLinkDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLinkDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLinkDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPLinkDownTrap - UNEXPECTED VARBINDS for panLACPLinkDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2605 + # panLACPLacpDownTrap + # + # Port left lacp lag + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpDownTrap" + root.out.event.category.name = "panLACPLacpDownTrap" + root.out.event.message = "panLACPLacpDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPLacpDownTrap - UNEXPECTED VARBINDS for panLACPLacpDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2606 + # panLACPLacpUpTrap + # + # Port joined lacp lag + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpUpTrap" + root.out.event.category.name = "panLACPLacpUpTrap" + root.out.event.message = "panLACPLacpUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLACPLacpUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLACPLacpUpTrap - UNEXPECTED VARBINDS for panLACPLacpUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2700 + # panFIPSFipsSelftestUnknownTrap + # + # Unknown FIPS Test failure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestUnknownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestUnknownTrap" + root.out.event.category.name = "panFIPSFipsSelftestUnknownTrap" + root.out.event.message = "panFIPSFipsSelftestUnknownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestUnknownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestUnknownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestUnknownTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestUnknownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2701 + # panFIPSFipsSelftestTimeoutTrap + # + # FIPS test timeout + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTimeoutTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTimeoutTrap" + root.out.event.category.name = "panFIPSFipsSelftestTimeoutTrap" + root.out.event.message = "panFIPSFipsSelftestTimeoutTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTimeoutTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTimeoutTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestTimeoutTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestTimeoutTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2702 + # panFIPSFipsSelftestIntegTrap + # + # Software Integrety Test + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestIntegTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestIntegTrap" + root.out.event.category.name = "panFIPSFipsSelftestIntegTrap" + root.out.event.message = "panFIPSFipsSelftestIntegTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestIntegTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestIntegTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestIntegTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestIntegTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2703 + # panFIPSFipsSelftestCoreTrap + # + # Dataplane processor core validation result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCoreTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCoreTrap" + root.out.event.category.name = "panFIPSFipsSelftestCoreTrap" + root.out.event.message = "panFIPSFipsSelftestCoreTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCoreTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCoreTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestCoreTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestCoreTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2704 + # panFIPSFipsSelftestAesTrap + # + # AES, AES-GCM, AES-CCM, AES-XTS Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestAesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestAesTrap" + root.out.event.category.name = "panFIPSFipsSelftestAesTrap" + root.out.event.message = "panFIPSFipsSelftestAesTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestAesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestAesTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestAesTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestAesTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2705 + # panFIPSFipsSelftestDesTrap + # + # 3DES Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDesTrap" + root.out.event.category.name = "panFIPSFipsSelftestDesTrap" + root.out.event.message = "panFIPSFipsSelftestDesTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDesTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDesTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestDesTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestDesTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2706 + # panFIPSFipsSelftestDsaTrap + # + # DSA Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDsaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDsaTrap" + root.out.event.category.name = "panFIPSFipsSelftestDsaTrap" + root.out.event.message = "panFIPSFipsSelftestDsaTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDsaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDsaTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestDsaTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestDsaTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2707 + # panFIPSFipsSelftestRsaTrap + # + # RSA Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestRsaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestRsaTrap" + root.out.event.category.name = "panFIPSFipsSelftestRsaTrap" + root.out.event.message = "panFIPSFipsSelftestRsaTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestRsaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestRsaTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestRsaTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestRsaTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2708 + # panFIPSFipsSelftestHmacTrap + # + # HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512 Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHmacTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHmacTrap" + root.out.event.category.name = "panFIPSFipsSelftestHmacTrap" + root.out.event.message = "panFIPSFipsSelftestHmacTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHmacTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHmacTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestHmacTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestHmacTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2709 + # panFIPSFipsSelftestShaTrap + # + # SHA-256 SHA-384 SHA-512 Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestShaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestShaTrap" + root.out.event.category.name = "panFIPSFipsSelftestShaTrap" + root.out.event.message = "panFIPSFipsSelftestShaTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestShaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestShaTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestShaTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestShaTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2710 + # panFIPSFipsSelftestDrngTrap + # + # DRNG Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrngTrap" + root.out.event.category.name = "panFIPSFipsSelftestDrngTrap" + root.out.event.message = "panFIPSFipsSelftestDrngTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrngTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestDrngTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestDrngTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2711 + # panFIPSFipsSelftestNdrngTrap + # + # NDRNG Validation Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestNdrngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestNdrngTrap" + root.out.event.category.name = "panFIPSFipsSelftestNdrngTrap" + root.out.event.message = "panFIPSFipsSelftestNdrngTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestNdrngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestNdrngTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestNdrngTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestNdrngTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2712 + # panFIPSFipsSelftestDhParameterTrap + # + # DH Parameter Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhParameterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhParameterTrap" + root.out.event.category.name = "panFIPSFipsSelftestDhParameterTrap" + root.out.event.message = "panFIPSFipsSelftestDhParameterTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhParameterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhParameterTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestDhParameterTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestDhParameterTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2713 + # panFIPSFipsSelftestDhTrap + # + # DH Parameter Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhTrap" + root.out.event.category.name = "panFIPSFipsSelftestDhTrap" + root.out.event.message = "panFIPSFipsSelftestDhTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDhTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestDhTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestDhTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2714 + # panFIPSFipsFirmwareIntegrityTrap + # + # Firmware Integrity Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsFirmwareIntegrityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsFirmwareIntegrityTrap" + root.out.event.category.name = "panFIPSFipsFirmwareIntegrityTrap" + root.out.event.message = "panFIPSFipsFirmwareIntegrityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsFirmwareIntegrityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsFirmwareIntegrityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsFirmwareIntegrityTrap - UNEXPECTED VARBINDS for panFIPSFipsFirmwareIntegrityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2715 + # panFIPSFipsContinuousRngTrap + # + # Continuous Random Number Generator RNG Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousRngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousRngTrap" + root.out.event.category.name = "panFIPSFipsContinuousRngTrap" + root.out.event.message = "panFIPSFipsContinuousRngTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousRngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousRngTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsContinuousRngTrap - UNEXPECTED VARBINDS for panFIPSFipsContinuousRngTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2716 + # panFIPSFipsRsaPairwiseConsistencyTrap + # + # RSA Pairwise Consistency Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsRsaPairwiseConsistencyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsRsaPairwiseConsistencyTrap" + root.out.event.category.name = "panFIPSFipsRsaPairwiseConsistencyTrap" + root.out.event.message = "panFIPSFipsRsaPairwiseConsistencyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsRsaPairwiseConsistencyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsRsaPairwiseConsistencyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsRsaPairwiseConsistencyTrap - UNEXPECTED VARBINDS for panFIPSFipsRsaPairwiseConsistencyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2717 + # panFIPSFipsSelftestSoftwareLoadTrap + # + # Software/Firmware Load Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestSoftwareLoadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestSoftwareLoadTrap" + root.out.event.category.name = "panFIPSFipsSelftestSoftwareLoadTrap" + root.out.event.message = "panFIPSFipsSelftestSoftwareLoadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestSoftwareLoadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestSoftwareLoadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestSoftwareLoadTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestSoftwareLoadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2718 + # panFIPSFipsSelftestTrap + # + # FIPS-CC Mode self-tests + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTrap" + root.out.event.category.name = "panFIPSFipsSelftestTrap" + root.out.event.message = "panFIPSFipsSelftestTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2719 + # panFIPSFipsSelftestHsmTrap + # + # HSM self-tests result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHsmTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHsmTrap" + root.out.event.category.name = "panFIPSFipsSelftestHsmTrap" + root.out.event.message = "panFIPSFipsSelftestHsmTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHsmTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestHsmTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestHsmTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestHsmTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2720 + # panFIPSFipsZeroizationTrap + # + # Zeroization error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsZeroizationTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsZeroizationTrap" + root.out.event.category.name = "panFIPSFipsZeroizationTrap" + root.out.event.message = "panFIPSFipsZeroizationTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsZeroizationTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsZeroizationTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsZeroizationTrap - UNEXPECTED VARBINDS for panFIPSFipsZeroizationTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2721 + # panFIPSFipsKeyTrap + # + # Key failure in openssl + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsKeyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsKeyTrap" + root.out.event.category.name = "panFIPSFipsKeyTrap" + root.out.event.message = "panFIPSFipsKeyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsKeyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsKeyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsKeyTrap - UNEXPECTED VARBINDS for panFIPSFipsKeyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2722 + # panFIPSFipsCipherTrap + # + # Cipher failure in openssl + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsCipherTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsCipherTrap" + root.out.event.category.name = "panFIPSFipsCipherTrap" + root.out.event.message = "panFIPSFipsCipherTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsCipherTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsCipherTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsCipherTrap - UNEXPECTED VARBINDS for panFIPSFipsCipherTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2723 + # panFIPSFipsReplayTrap + # + # Session replay detected in openssl + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsReplayTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsReplayTrap" + root.out.event.category.name = "panFIPSFipsReplayTrap" + root.out.event.message = "panFIPSFipsReplayTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsReplayTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsReplayTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsReplayTrap - UNEXPECTED VARBINDS for panFIPSFipsReplayTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2724 + # panFIPSFipsSslHandshakeTrap + # + # SSL session handshake failure detected in openssl + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSslHandshakeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSslHandshakeTrap" + root.out.event.category.name = "panFIPSFipsSslHandshakeTrap" + root.out.event.message = "panFIPSFipsSslHandshakeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSslHandshakeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSslHandshakeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSslHandshakeTrap - UNEXPECTED VARBINDS for panFIPSFipsSslHandshakeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2725 + # panFIPSFipsContinuousNdrngTrap + # + # Continuous Random Number Generator Seeding Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousNdrngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousNdrngTrap" + root.out.event.category.name = "panFIPSFipsContinuousNdrngTrap" + root.out.event.message = "panFIPSFipsContinuousNdrngTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousNdrngTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsContinuousNdrngTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsContinuousNdrngTrap - UNEXPECTED VARBINDS for panFIPSFipsContinuousNdrngTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2726 + # panFIPSFipsSelftestCmacTrap + # + # CMAC Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCmacTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCmacTrap" + root.out.event.category.name = "panFIPSFipsSelftestCmacTrap" + root.out.event.message = "panFIPSFipsSelftestCmacTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCmacTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestCmacTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestCmacTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestCmacTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2727 + # panFIPSFipsSelftestDrbgTrap + # + # DRBG Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrbgTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrbgTrap" + root.out.event.category.name = "panFIPSFipsSelftestDrbgTrap" + root.out.event.message = "panFIPSFipsSelftestDrbgTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrbgTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestDrbgTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestDrbgTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestDrbgTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2728 + # panFIPSFipsSelftestEcdsaTrap + # + # ECDSA Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdsaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdsaTrap" + root.out.event.category.name = "panFIPSFipsSelftestEcdsaTrap" + root.out.event.message = "panFIPSFipsSelftestEcdsaTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdsaTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdsaTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestEcdsaTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestEcdsaTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2729 + # panFIPSFipsSelftestEcdhTrap + # + # ECDH Known Answer Test result + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdhTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdhTrap" + root.out.event.category.name = "panFIPSFipsSelftestEcdhTrap" + root.out.event.message = "panFIPSFipsSelftestEcdhTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdhTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFIPSFipsSelftestEcdhTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFIPSFipsSelftestEcdhTrap - UNEXPECTED VARBINDS for panFIPSFipsSelftestEcdhTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2800 + # panMDMExceedLicenseTrap + # + # number of devices exceeds license + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMExceedLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMExceedLicenseTrap" + root.out.event.category.name = "panMDMExceedLicenseTrap" + root.out.event.message = "panMDMExceedLicenseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMExceedLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMExceedLicenseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMExceedLicenseTrap - UNEXPECTED VARBINDS for panMDMExceedLicenseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2801 + # panMDMConnectToApnsTrap + # + # connect to APNS + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsTrap" + root.out.event.category.name = "panMDMConnectToApnsTrap" + root.out.event.message = "panMDMConnectToApnsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMConnectToApnsTrap - UNEXPECTED VARBINDS for panMDMConnectToApnsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2802 + # panMDMConnectToApnsFailureTrap + # + # failed to connect to APNS + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsFailureTrap" + root.out.event.category.name = "panMDMConnectToApnsFailureTrap" + root.out.event.message = "panMDMConnectToApnsFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToApnsFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMConnectToApnsFailureTrap - UNEXPECTED VARBINDS for panMDMConnectToApnsFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2803 + # panMDMConnectToGcmTrap + # + # connect to GCM + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmTrap" + root.out.event.category.name = "panMDMConnectToGcmTrap" + root.out.event.message = "panMDMConnectToGcmTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMConnectToGcmTrap - UNEXPECTED VARBINDS for panMDMConnectToGcmTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2804 + # panMDMConnectToGcmFailureTrap + # + # failed to connect to GCM + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmFailureTrap" + root.out.event.category.name = "panMDMConnectToGcmFailureTrap" + root.out.event.message = "panMDMConnectToGcmFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToGcmFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMConnectToGcmFailureTrap - UNEXPECTED VARBINDS for panMDMConnectToGcmFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2805 + # panMDMGatewayConnectedTrap + # + # gateway connected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayConnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayConnectedTrap" + root.out.event.category.name = "panMDMGatewayConnectedTrap" + root.out.event.message = "panMDMGatewayConnectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayConnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayConnectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMGatewayConnectedTrap - UNEXPECTED VARBINDS for panMDMGatewayConnectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2806 + # panMDMGatewayDisconnectedTrap + # + # gateway disconnected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayDisconnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayDisconnectedTrap" + root.out.event.category.name = "panMDMGatewayDisconnectedTrap" + root.out.event.message = "panMDMGatewayDisconnectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayDisconnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGatewayDisconnectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMGatewayDisconnectedTrap - UNEXPECTED VARBINDS for panMDMGatewayDisconnectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2807 + # panMDMInstallAppContentTrap + # + # install app content + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentTrap" + root.out.event.category.name = "panMDMInstallAppContentTrap" + root.out.event.message = "panMDMInstallAppContentTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMInstallAppContentTrap - UNEXPECTED VARBINDS for panMDMInstallAppContentTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2808 + # panMDMInstallAppContentFailureTrap + # + # failed to install app content + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentFailureTrap" + root.out.event.category.name = "panMDMInstallAppContentFailureTrap" + root.out.event.message = "panMDMInstallAppContentFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMInstallAppContentFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMInstallAppContentFailureTrap - UNEXPECTED VARBINDS for panMDMInstallAppContentFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2809 + # panMDMGetScepOtpFailureTrap + # + # failed to get OTP from SCEP server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGetScepOtpFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGetScepOtpFailureTrap" + root.out.event.category.name = "panMDMGetScepOtpFailureTrap" + root.out.event.message = "panMDMGetScepOtpFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGetScepOtpFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMGetScepOtpFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMGetScepOtpFailureTrap - UNEXPECTED VARBINDS for panMDMGetScepOtpFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2810 + # panMDMSendMsgToCloudFailureTrap + # + # failed to send message to cloud + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMSendMsgToCloudFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMSendMsgToCloudFailureTrap" + root.out.event.category.name = "panMDMSendMsgToCloudFailureTrap" + root.out.event.message = "panMDMSendMsgToCloudFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMSendMsgToCloudFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMSendMsgToCloudFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMSendMsgToCloudFailureTrap - UNEXPECTED VARBINDS for panMDMSendMsgToCloudFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2811 + # panMDMConnectToItunesFailureTrap + # + # failed to connect to iTunes + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToItunesFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToItunesFailureTrap" + root.out.event.category.name = "panMDMConnectToItunesFailureTrap" + root.out.event.message = "panMDMConnectToItunesFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToItunesFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToItunesFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMConnectToItunesFailureTrap - UNEXPECTED VARBINDS for panMDMConnectToItunesFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2812 + # panMDMConnectToAppleVppFailureTrap + # + # failed to connect to Apple VPP + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToAppleVppFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToAppleVppFailureTrap" + root.out.event.category.name = "panMDMConnectToAppleVppFailureTrap" + root.out.event.message = "panMDMConnectToAppleVppFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToAppleVppFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMDMConnectToAppleVppFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMDMConnectToAppleVppFailureTrap - UNEXPECTED VARBINDS for panMDMConnectToAppleVppFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2900 + # panRAIDDiskNotDetectedTrap + # + # Disk not detected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskNotDetectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskNotDetectedTrap" + root.out.event.category.name = "panRAIDDiskNotDetectedTrap" + root.out.event.message = "panRAIDDiskNotDetectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskNotDetectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskNotDetectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDDiskNotDetectedTrap - UNEXPECTED VARBINDS for panRAIDDiskNotDetectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2901 + # panRAIDPairDetectedTrap + # + # New Disk Pair detected + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDetectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDetectedTrap" + root.out.event.category.name = "panRAIDPairDetectedTrap" + root.out.event.message = "panRAIDPairDetectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDetectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDetectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDPairDetectedTrap - UNEXPECTED VARBINDS for panRAIDPairDetectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2902 + # panRAIDRebuildingTrap + # + # Disk Pair Rebuild started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildingTrap" + root.out.event.category.name = "panRAIDRebuildingTrap" + root.out.event.message = "panRAIDRebuildingTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildingTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuildingTrap - UNEXPECTED VARBINDS for panRAIDRebuildingTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2903 + # panRAIDRebuild20Trap + # + # Disk Pair Rebuild 20% done + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild20Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild20Trap" + root.out.event.category.name = "panRAIDRebuild20Trap" + root.out.event.message = "panRAIDRebuild20Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild20Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild20Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuild20Trap - UNEXPECTED VARBINDS for panRAIDRebuild20Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2904 + # panRAIDRebuild40Trap + # + # Disk Pair Rebuild 40% done + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild40Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild40Trap" + root.out.event.category.name = "panRAIDRebuild40Trap" + root.out.event.message = "panRAIDRebuild40Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild40Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild40Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuild40Trap - UNEXPECTED VARBINDS for panRAIDRebuild40Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2905 + # panRAIDRebuild60Trap + # + # Disk Pair Rebuild 60% done + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild60Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild60Trap" + root.out.event.category.name = "panRAIDRebuild60Trap" + root.out.event.message = "panRAIDRebuild60Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild60Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild60Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuild60Trap - UNEXPECTED VARBINDS for panRAIDRebuild60Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2906 + # panRAIDRebuild80Trap + # + # Disk Pair Rebuild 80% done + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild80Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild80Trap" + root.out.event.category.name = "panRAIDRebuild80Trap" + root.out.event.message = "panRAIDRebuild80Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild80Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuild80Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuild80Trap - UNEXPECTED VARBINDS for panRAIDRebuild80Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2907 + # panRAIDRebuildDoneTrap + # + # Disk Pair Rebuild complete + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildDoneTrap" + root.out.event.category.name = "panRAIDRebuildDoneTrap" + root.out.event.message = "panRAIDRebuildDoneTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildDoneTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildDoneTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuildDoneTrap - UNEXPECTED VARBINDS for panRAIDRebuildDoneTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2908 + # panRAIDDiskActiveTrap + # + # Disk is now active + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskActiveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskActiveTrap" + root.out.event.category.name = "panRAIDDiskActiveTrap" + root.out.event.message = "panRAIDDiskActiveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskActiveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskActiveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDDiskActiveTrap - UNEXPECTED VARBINDS for panRAIDDiskActiveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2909 + # panRAIDDiskFaultyTrap + # + # Disk marked faulty + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFaultyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFaultyTrap" + root.out.event.category.name = "panRAIDDiskFaultyTrap" + root.out.event.message = "panRAIDDiskFaultyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFaultyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFaultyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDDiskFaultyTrap - UNEXPECTED VARBINDS for panRAIDDiskFaultyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2910 + # panRAIDDiskFailedTrap + # + # Disk marked failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFailedTrap" + root.out.event.category.name = "panRAIDDiskFailedTrap" + root.out.event.message = "panRAIDDiskFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDDiskFailedTrap - UNEXPECTED VARBINDS for panRAIDDiskFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2911 + # panRAIDSpareMissingTrap + # + # Spare disk missing + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMissingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMissingTrap" + root.out.event.category.name = "panRAIDSpareMissingTrap" + root.out.event.message = "panRAIDSpareMissingTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMissingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMissingTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDSpareMissingTrap - UNEXPECTED VARBINDS for panRAIDSpareMissingTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2912 + # panRAIDSpareMovedTrap + # + # Spare disk moved + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMovedTrap" + root.out.event.category.name = "panRAIDSpareMovedTrap" + root.out.event.message = "panRAIDSpareMovedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDSpareMovedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDSpareMovedTrap - UNEXPECTED VARBINDS for panRAIDSpareMovedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2913 + # panRAIDPairDegradedTrap + # + # Disk Pair Degraded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDegradedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDegradedTrap" + root.out.event.category.name = "panRAIDPairDegradedTrap" + root.out.event.message = "panRAIDPairDegradedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDegradedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDegradedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDPairDegradedTrap - UNEXPECTED VARBINDS for panRAIDPairDegradedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2914 + # panRAIDPairDisappearedTrap + # + # Disk Pair disappeared + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDisappearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDisappearedTrap" + root.out.event.category.name = "panRAIDPairDisappearedTrap" + root.out.event.message = "panRAIDPairDisappearedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDisappearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDPairDisappearedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDPairDisappearedTrap - UNEXPECTED VARBINDS for panRAIDPairDisappearedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2915 + # panRAIDDiskRemovedTrap + # + # Disk removed abnormally + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskRemovedTrap" + root.out.event.category.name = "panRAIDDiskRemovedTrap" + root.out.event.message = "panRAIDDiskRemovedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskRemovedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDDiskRemovedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDDiskRemovedTrap - UNEXPECTED VARBINDS for panRAIDDiskRemovedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2916 + # panRAIDFsckStartTrap + # + # file system check started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckStartTrap" + root.out.event.category.name = "panRAIDFsckStartTrap" + root.out.event.message = "panRAIDFsckStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDFsckStartTrap - UNEXPECTED VARBINDS for panRAIDFsckStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2917 + # panRAIDFsckEndTrap + # + # file system check ended + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckEndTrap" + root.out.event.category.name = "panRAIDFsckEndTrap" + root.out.event.message = "panRAIDFsckEndTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckEndTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckEndTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDFsckEndTrap - UNEXPECTED VARBINDS for panRAIDFsckEndTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2918 + # panRAIDFsckFailedTrap + # + # file system check failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckFailedTrap" + root.out.event.category.name = "panRAIDFsckFailedTrap" + root.out.event.message = "panRAIDFsckFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDFsckFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDFsckFailedTrap - UNEXPECTED VARBINDS for panRAIDFsckFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2919 + # panRAIDMountFailedTrap + # + # Disk mount failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDMountFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDMountFailedTrap" + root.out.event.category.name = "panRAIDMountFailedTrap" + root.out.event.message = "panRAIDMountFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDMountFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDMountFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDMountFailedTrap - UNEXPECTED VARBINDS for panRAIDMountFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 2920 + # panRAIDRebuildFailedTrap + # + # Disk Pair Rebuild failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildFailedTrap" + root.out.event.category.name = "panRAIDRebuildFailedTrap" + root.out.event.message = "panRAIDRebuildFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRAIDRebuildFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRAIDRebuildFailedTrap - UNEXPECTED VARBINDS for panRAIDRebuildFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3000 + # panVMDvfInitSucceedTrap + # + # VMware dvfilter init succeeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitSucceedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitSucceedTrap" + root.out.event.category.name = "panVMDvfInitSucceedTrap" + root.out.event.message = "panVMDvfInitSucceedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitSucceedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitSucceedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVMDvfInitSucceedTrap - UNEXPECTED VARBINDS for panVMDvfInitSucceedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3001 + # panVMDvfInitFailTrap + # + # VMware dvfilter init failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitFailTrap" + root.out.event.category.name = "panVMDvfInitFailTrap" + root.out.event.message = "panVMDvfInitFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panVMDvfInitFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panVMDvfInitFailTrap - UNEXPECTED VARBINDS for panVMDvfInitFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3100 + # panSSHSshSessionEstablishedTrap + # + # SSH session is established + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishedTrap" + root.out.event.category.name = "panSSHSshSessionEstablishedTrap" + root.out.event.message = "panSSHSshSessionEstablishedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSHSshSessionEstablishedTrap - UNEXPECTED VARBINDS for panSSHSshSessionEstablishedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3101 + # panSSHSshSessionTerminatedTrap + # + # SSH session is terminated normally + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionTerminatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionTerminatedTrap" + root.out.event.category.name = "panSSHSshSessionTerminatedTrap" + root.out.event.message = "panSSHSshSessionTerminatedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionTerminatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionTerminatedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSHSshSessionTerminatedTrap - UNEXPECTED VARBINDS for panSSHSshSessionTerminatedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3102 + # panSSHSshSessionEstablishmentFailedTrap + # + # SSH session establishment failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishmentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishmentFailedTrap" + root.out.event.category.name = "panSSHSshSessionEstablishmentFailedTrap" + root.out.event.message = "panSSHSshSessionEstablishmentFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishmentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionEstablishmentFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSHSshSessionEstablishmentFailedTrap - UNEXPECTED VARBINDS for panSSHSshSessionEstablishmentFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3103 + # panSSHSshSessionDisconnectedTrap + # + # SSH session is disconnected by server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionDisconnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionDisconnectedTrap" + root.out.event.category.name = "panSSHSshSessionDisconnectedTrap" + root.out.event.message = "panSSHSshSessionDisconnectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionDisconnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshSessionDisconnectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSHSshSessionDisconnectedTrap - UNEXPECTED VARBINDS for panSSHSshSessionDisconnectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3104 + # panSSHSshConnectionTrap + # + # SSH conection is accepted but not authenticated yet + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshConnectionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshConnectionTrap" + root.out.event.category.name = "panSSHSshConnectionTrap" + root.out.event.message = "panSSHSshConnectionTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshConnectionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSSHSshConnectionTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSSHSshConnectionTrap - UNEXPECTED VARBINDS for panSSHSshConnectionTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3200 + # panTLSTlsSessionEstablishedTrap + # + # TLS session is established + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishedTrap" + root.out.event.category.name = "panTLSTlsSessionEstablishedTrap" + root.out.event.message = "panTLSTlsSessionEstablishedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsSessionEstablishedTrap - UNEXPECTED VARBINDS for panTLSTlsSessionEstablishedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3201 + # panTLSTlsSessionTerminatedTrap + # + # TLS session is terminated normally + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionTerminatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionTerminatedTrap" + root.out.event.category.name = "panTLSTlsSessionTerminatedTrap" + root.out.event.message = "panTLSTlsSessionTerminatedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionTerminatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionTerminatedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsSessionTerminatedTrap - UNEXPECTED VARBINDS for panTLSTlsSessionTerminatedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3202 + # panTLSTlsSessionEstablishmentFailedTrap + # + # TLS session establishment failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishmentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishmentFailedTrap" + root.out.event.category.name = "panTLSTlsSessionEstablishmentFailedTrap" + root.out.event.message = "panTLSTlsSessionEstablishmentFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishmentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionEstablishmentFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsSessionEstablishmentFailedTrap - UNEXPECTED VARBINDS for panTLSTlsSessionEstablishmentFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3203 + # panTLSTlsSessionDisconnectedTrap + # + # TLS session is disconnected by server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionDisconnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionDisconnectedTrap" + root.out.event.category.name = "panTLSTlsSessionDisconnectedTrap" + root.out.event.message = "panTLSTlsSessionDisconnectedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionDisconnectedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsSessionDisconnectedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsSessionDisconnectedTrap - UNEXPECTED VARBINDS for panTLSTlsSessionDisconnectedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3204 + # panTLSTlsEdlAuthFailureTrap + # + # TLS server certificate authentication failed for EDL + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsEdlAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsEdlAuthFailureTrap" + root.out.event.category.name = "panTLSTlsEdlAuthFailureTrap" + root.out.event.message = "panTLSTlsEdlAuthFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsEdlAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsEdlAuthFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsEdlAuthFailureTrap - UNEXPECTED VARBINDS for panTLSTlsEdlAuthFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3205 + # panTLSTlsX509ServerIdentFailedTrap + # + # TLS X509 Server Identifier failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ServerIdentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ServerIdentFailedTrap" + root.out.event.category.name = "panTLSTlsX509ServerIdentFailedTrap" + root.out.event.message = "panTLSTlsX509ServerIdentFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ServerIdentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ServerIdentFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509ServerIdentFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509ServerIdentFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3206 + # panTLSTlsX509ValidationFailedTrap + # + # TLS X509 Validation failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ValidationFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ValidationFailedTrap" + root.out.event.category.name = "panTLSTlsX509ValidationFailedTrap" + root.out.event.message = "panTLSTlsX509ValidationFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ValidationFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ValidationFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509ValidationFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509ValidationFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3207 + # panTLSTlsX509EkuServerAuthFailedTrap + # + # TLS X509 XKU Server auth failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuServerAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuServerAuthFailedTrap" + root.out.event.category.name = "panTLSTlsX509EkuServerAuthFailedTrap" + root.out.event.message = "panTLSTlsX509EkuServerAuthFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuServerAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuServerAuthFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509EkuServerAuthFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509EkuServerAuthFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3208 + # panTLSTlsX509ClientIdentFailedTrap + # + # TLS X509 Client Identifier failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ClientIdentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ClientIdentFailedTrap" + root.out.event.category.name = "panTLSTlsX509ClientIdentFailedTrap" + root.out.event.message = "panTLSTlsX509ClientIdentFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ClientIdentFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509ClientIdentFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509ClientIdentFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509ClientIdentFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3209 + # panTLSTlsX509EkuClientAuthFailedTrap + # + # TLS X509 XKU Client auth failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthFailedTrap" + root.out.event.category.name = "panTLSTlsX509EkuClientAuthFailedTrap" + root.out.event.message = "panTLSTlsX509EkuClientAuthFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509EkuClientAuthFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509EkuClientAuthFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3210 + # panTLSTlsX509EkuClientAuthSuccessTrap + # + # TLS X509 XKU Client auth success. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthSuccessTrap" + root.out.event.category.name = "panTLSTlsX509EkuClientAuthSuccessTrap" + root.out.event.message = "panTLSTlsX509EkuClientAuthSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuClientAuthSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509EkuClientAuthSuccessTrap - UNEXPECTED VARBINDS for panTLSTlsX509EkuClientAuthSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3211 + # panTLSPanoramaAuthFailureTrap + # + # Panorama auth failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthFailureTrap" + root.out.event.category.name = "panTLSPanoramaAuthFailureTrap" + root.out.event.message = "panTLSPanoramaAuthFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSPanoramaAuthFailureTrap - UNEXPECTED VARBINDS for panTLSPanoramaAuthFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3212 + # panTLSPanoramaAuthSuccessTrap + # + # Panorama auth succeeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthSuccessTrap" + root.out.event.category.name = "panTLSPanoramaAuthSuccessTrap" + root.out.event.message = "panTLSPanoramaAuthSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanoramaAuthSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSPanoramaAuthSuccessTrap - UNEXPECTED VARBINDS for panTLSPanoramaAuthSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3213 + # panTLSPanosAuthFailureTrap + # + # PanOS auth failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthFailureTrap" + root.out.event.category.name = "panTLSPanosAuthFailureTrap" + root.out.event.message = "panTLSPanosAuthFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSPanosAuthFailureTrap - UNEXPECTED VARBINDS for panTLSPanosAuthFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3214 + # panTLSPanosAuthSuccessTrap + # + # PanOS auth success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthSuccessTrap" + root.out.event.category.name = "panTLSPanosAuthSuccessTrap" + root.out.event.message = "panTLSPanosAuthSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSPanosAuthSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSPanosAuthSuccessTrap - UNEXPECTED VARBINDS for panTLSPanosAuthSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3215 + # panTLSTlsX509EkuCodeSigningExtCheckFailedTrap + # + # TLS X509 XKU Client auth failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuCodeSigningExtCheckFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuCodeSigningExtCheckFailedTrap" + root.out.event.category.name = "panTLSTlsX509EkuCodeSigningExtCheckFailedTrap" + root.out.event.message = "panTLSTlsX509EkuCodeSigningExtCheckFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuCodeSigningExtCheckFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509EkuCodeSigningExtCheckFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509EkuCodeSigningExtCheckFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509EkuCodeSigningExtCheckFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3216 + # panTLSTlsX509OcspCrlCheckFailedTrap + # + # TLS X509 CRL/OCSP check failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509OcspCrlCheckFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509OcspCrlCheckFailedTrap" + root.out.event.category.name = "panTLSTlsX509OcspCrlCheckFailedTrap" + root.out.event.message = "panTLSTlsX509OcspCrlCheckFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509OcspCrlCheckFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509OcspCrlCheckFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509OcspCrlCheckFailedTrap - UNEXPECTED VARBINDS for panTLSTlsX509OcspCrlCheckFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3217 + # panTLSTlsX509UntrustedCertIssuerFoundTrap + # + # TLS X509 Untrusted issuer found + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509UntrustedCertIssuerFoundTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509UntrustedCertIssuerFoundTrap" + root.out.event.category.name = "panTLSTlsX509UntrustedCertIssuerFoundTrap" + root.out.event.message = "panTLSTlsX509UntrustedCertIssuerFoundTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509UntrustedCertIssuerFoundTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSTlsX509UntrustedCertIssuerFoundTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSTlsX509UntrustedCertIssuerFoundTrap - UNEXPECTED VARBINDS for panTLSTlsX509UntrustedCertIssuerFoundTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3218 + # panTLSMfaAuthFailureTrap + # + # MFA server validation failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSMfaAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSMfaAuthFailureTrap" + root.out.event.category.name = "panTLSMfaAuthFailureTrap" + root.out.event.message = "panTLSMfaAuthFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSMfaAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSMfaAuthFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSMfaAuthFailureTrap - UNEXPECTED VARBINDS for panTLSMfaAuthFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3219 + # panTLSCertificateRenewalTrap + # + # Certificate renewal triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateRenewalTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateRenewalTrap" + root.out.event.category.name = "panTLSCertificateRenewalTrap" + root.out.event.message = "panTLSCertificateRenewalTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateRenewalTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateRenewalTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSCertificateRenewalTrap - UNEXPECTED VARBINDS for panTLSCertificateRenewalTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3220 + # panTLSCertificateExpiredTrap + # + # Certificate expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateExpiredTrap" + root.out.event.category.name = "panTLSCertificateExpiredTrap" + root.out.event.message = "panTLSCertificateExpiredTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateExpiredTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panTLSCertificateExpiredTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panTLSCertificateExpiredTrap - UNEXPECTED VARBINDS for panTLSCertificateExpiredTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3300 + # panLLDPRxErrorTrap + # + # receive error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPRxErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPRxErrorTrap" + root.out.event.category.name = "panLLDPRxErrorTrap" + root.out.event.message = "panLLDPRxErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPRxErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPRxErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLLDPRxErrorTrap - UNEXPECTED VARBINDS for panLLDPRxErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3301 + # panLLDPMibChangedTrap + # + # mib update event + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPMibChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPMibChangedTrap" + root.out.event.category.name = "panLLDPMibChangedTrap" + root.out.event.message = "panLLDPMibChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPMibChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPMibChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLLDPMibChangedTrap - UNEXPECTED VARBINDS for panLLDPMibChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3302 + # panLLDPTooManyNeighborsTrap + # + # too many neighbors + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTrap" + root.out.event.category.name = "panLLDPTooManyNeighborsTrap" + root.out.event.message = "panLLDPTooManyNeighborsTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLLDPTooManyNeighborsTrap - UNEXPECTED VARBINDS for panLLDPTooManyNeighborsTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3303 + # panLLDPTooManyNeighborsTimerClearedTrap + # + # clear tooManyNeighbors timer + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTimerClearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTimerClearedTrap" + root.out.event.category.name = "panLLDPTooManyNeighborsTimerClearedTrap" + root.out.event.message = "panLLDPTooManyNeighborsTimerClearedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTimerClearedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTooManyNeighborsTimerClearedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLLDPTooManyNeighborsTimerClearedTrap - UNEXPECTED VARBINDS for panLLDPTooManyNeighborsTimerClearedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3304 + # panLLDPOtherTrap + # + # other reasons + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPOtherTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPOtherTrap" + root.out.event.category.name = "panLLDPOtherTrap" + root.out.event.message = "panLLDPOtherTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPOtherTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPOtherTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLLDPOtherTrap - UNEXPECTED VARBINDS for panLLDPOtherTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3305 + # panLLDPTxErrorTrap + # + # transmit error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTxErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTxErrorTrap" + root.out.event.category.name = "panLLDPTxErrorTrap" + root.out.event.message = "panLLDPTxErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTxErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panLLDPTxErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panLLDPTxErrorTrap - UNEXPECTED VARBINDS for panLLDPTxErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3400 + # panFBWildfireWrongCloudTypeTrap + # + # WildFire disabled due to wrong cloud type + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireWrongCloudTypeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireWrongCloudTypeTrap" + root.out.event.category.name = "panFBWildfireWrongCloudTypeTrap" + root.out.event.message = "panFBWildfireWrongCloudTypeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireWrongCloudTypeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireWrongCloudTypeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFBWildfireWrongCloudTypeTrap - UNEXPECTED VARBINDS for panFBWildfireWrongCloudTypeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3401 + # panFBWildfireDisabledByCloudTrap + # + # WildFire Cloud does not support current PANOS version + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireDisabledByCloudTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireDisabledByCloudTrap" + root.out.event.category.name = "panFBWildfireDisabledByCloudTrap" + root.out.event.message = "panFBWildfireDisabledByCloudTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireDisabledByCloudTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireDisabledByCloudTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFBWildfireDisabledByCloudTrap - UNEXPECTED VARBINDS for panFBWildfireDisabledByCloudTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3402 + # panFBWildfireNoPolicyTrap + # + # WildFire disabled due to configuration + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoPolicyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoPolicyTrap" + root.out.event.category.name = "panFBWildfireNoPolicyTrap" + root.out.event.message = "panFBWildfireNoPolicyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoPolicyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoPolicyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFBWildfireNoPolicyTrap - UNEXPECTED VARBINDS for panFBWildfireNoPolicyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3403 + # panFBWildfireNoLicenseTrap + # + # WildFire registration failed due to invalid license + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoLicenseTrap" + root.out.event.category.name = "panFBWildfireNoLicenseTrap" + root.out.event.message = "panFBWildfireNoLicenseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireNoLicenseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFBWildfireNoLicenseTrap - UNEXPECTED VARBINDS for panFBWildfireNoLicenseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3404 + # panFBWildfireInvalidCloudInfoTrap + # + # WildFire registration failed due to invalid cloud info + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireInvalidCloudInfoTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireInvalidCloudInfoTrap" + root.out.event.category.name = "panFBWildfireInvalidCloudInfoTrap" + root.out.event.message = "panFBWildfireInvalidCloudInfoTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireInvalidCloudInfoTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panFBWildfireInvalidCloudInfoTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panFBWildfireInvalidCloudInfoTrap - UNEXPECTED VARBINDS for panFBWildfireInvalidCloudInfoTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3500 + # panBFDExpiredTimeTrap + # + # Control detection time expired + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDExpiredTimeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDExpiredTimeTrap" + root.out.event.category.name = "panBFDExpiredTimeTrap" + root.out.event.message = "panBFDExpiredTimeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDExpiredTimeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDExpiredTimeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBFDExpiredTimeTrap - UNEXPECTED VARBINDS for panBFDExpiredTimeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3501 + # panBFDNeighborDownTrap + # + # Neighbor signaled session down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDNeighborDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDNeighborDownTrap" + root.out.event.category.name = "panBFDNeighborDownTrap" + root.out.event.message = "panBFDNeighborDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDNeighborDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDNeighborDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBFDNeighborDownTrap - UNEXPECTED VARBINDS for panBFDNeighborDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3502 + # panBFDForwardPlaneResetTrap + # + # Forwarding plane reset + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDForwardPlaneResetTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDForwardPlaneResetTrap" + root.out.event.category.name = "panBFDForwardPlaneResetTrap" + root.out.event.message = "panBFDForwardPlaneResetTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDForwardPlaneResetTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDForwardPlaneResetTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBFDForwardPlaneResetTrap - UNEXPECTED VARBINDS for panBFDForwardPlaneResetTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3503 + # panBFDAdminDownTrap + # + # Administrative down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDAdminDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDAdminDownTrap" + root.out.event.category.name = "panBFDAdminDownTrap" + root.out.event.message = "panBFDAdminDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDAdminDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDAdminDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBFDAdminDownTrap - UNEXPECTED VARBINDS for panBFDAdminDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3504 + # panBFDSessionStateChangeTrap + # + # Session state change + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionStateChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionStateChangeTrap" + root.out.event.category.name = "panBFDSessionStateChangeTrap" + root.out.event.message = "panBFDSessionStateChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionStateChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionStateChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBFDSessionStateChangeTrap - UNEXPECTED VARBINDS for panBFDSessionStateChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3505 + # panBFDSessionCapacityTrap + # + # BFD session capacity reached + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionCapacityTrap" + root.out.event.category.name = "panBFDSessionCapacityTrap" + root.out.event.message = "panBFDSessionCapacityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionCapacityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBFDSessionCapacityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBFDSessionCapacityTrap - UNEXPECTED VARBINDS for panBFDSessionCapacityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3600 + # panAUTHGeneralTrap + # + # General auth event + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGeneralTrap" + root.out.event.category.name = "panAUTHGeneralTrap" + root.out.event.message = "panAUTHGeneralTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGeneralTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHGeneralTrap - UNEXPECTED VARBINDS for panAUTHGeneralTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3601 + # panAUTHAuthServerDownTrap + # + # Can not contact auth server + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerDownTrap" + root.out.event.category.name = "panAUTHAuthServerDownTrap" + root.out.event.message = "panAUTHAuthServerDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHAuthServerDownTrap - UNEXPECTED VARBINDS for panAUTHAuthServerDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3602 + # panAUTHCreateAdminAcctErrorTrap + # + # Can not create admin account + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateAdminAcctErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateAdminAcctErrorTrap" + root.out.event.category.name = "panAUTHCreateAdminAcctErrorTrap" + root.out.event.message = "panAUTHCreateAdminAcctErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateAdminAcctErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateAdminAcctErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCreateAdminAcctErrorTrap - UNEXPECTED VARBINDS for panAUTHCreateAdminAcctErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3603 + # panAUTHAuthFailTrap + # + # Authentication attempt faliure + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthFailTrap" + root.out.event.category.name = "panAUTHAuthFailTrap" + root.out.event.message = "panAUTHAuthFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHAuthFailTrap - UNEXPECTED VARBINDS for panAUTHAuthFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3604 + # panAUTHAuthSuccessTrap + # + # Authentication attempt success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthSuccessTrap" + root.out.event.category.name = "panAUTHAuthSuccessTrap" + root.out.event.message = "panAUTHAuthSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHAuthSuccessTrap - UNEXPECTED VARBINDS for panAUTHAuthSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3605 + # panAUTHSamlClientRedirectTrap + # + # SAML client redirect + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlClientRedirectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlClientRedirectTrap" + root.out.event.category.name = "panAUTHSamlClientRedirectTrap" + root.out.event.message = "panAUTHSamlClientRedirectTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlClientRedirectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlClientRedirectTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlClientRedirectTrap - UNEXPECTED VARBINDS for panAUTHSamlClientRedirectTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3606 + # panAUTHSamlIdpActivityTrap + # + # SAML IdP activity + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlIdpActivityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlIdpActivityTrap" + root.out.event.category.name = "panAUTHSamlIdpActivityTrap" + root.out.event.message = "panAUTHSamlIdpActivityTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlIdpActivityTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlIdpActivityTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlIdpActivityTrap - UNEXPECTED VARBINDS for panAUTHSamlIdpActivityTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3607 + # panAUTHSamlCertificateWarningTrap + # + # SAML IdP certificate expiring + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateWarningTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateWarningTrap" + root.out.event.category.name = "panAUTHSamlCertificateWarningTrap" + root.out.event.message = "panAUTHSamlCertificateWarningTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateWarningTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateWarningTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlCertificateWarningTrap - UNEXPECTED VARBINDS for panAUTHSamlCertificateWarningTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3608 + # panAUTHSamlCertificateErrorTrap + # + # SAML IdP or SP certificate error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateErrorTrap" + root.out.event.category.name = "panAUTHSamlCertificateErrorTrap" + root.out.event.message = "panAUTHSamlCertificateErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlCertificateErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlCertificateErrorTrap - UNEXPECTED VARBINDS for panAUTHSamlCertificateErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3609 + # panAUTHSamlMessageParseErrorTrap + # + # SAML message parse error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlMessageParseErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlMessageParseErrorTrap" + root.out.event.category.name = "panAUTHSamlMessageParseErrorTrap" + root.out.event.message = "panAUTHSamlMessageParseErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlMessageParseErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlMessageParseErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlMessageParseErrorTrap - UNEXPECTED VARBINDS for panAUTHSamlMessageParseErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3610 + # panAUTHSamlOutOfBandMessageTrap + # + # SAML SP received unsolicited message + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlOutOfBandMessageTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlOutOfBandMessageTrap" + root.out.event.category.name = "panAUTHSamlOutOfBandMessageTrap" + root.out.event.message = "panAUTHSamlOutOfBandMessageTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlOutOfBandMessageTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlOutOfBandMessageTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlOutOfBandMessageTrap - UNEXPECTED VARBINDS for panAUTHSamlOutOfBandMessageTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3611 + # panAUTHSamlSignatureValidatedTrap + # + # SAML signature in message is validated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlSignatureValidatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlSignatureValidatedTrap" + root.out.event.category.name = "panAUTHSamlSignatureValidatedTrap" + root.out.event.message = "panAUTHSamlSignatureValidatedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlSignatureValidatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSamlSignatureValidatedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSamlSignatureValidatedTrap - UNEXPECTED VARBINDS for panAUTHSamlSignatureValidatedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3612 + # panAUTHEdlCliAuthFailureTrap + # + # EDL client authentication failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHEdlCliAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHEdlCliAuthFailureTrap" + root.out.event.category.name = "panAUTHEdlCliAuthFailureTrap" + root.out.event.message = "panAUTHEdlCliAuthFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHEdlCliAuthFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHEdlCliAuthFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHEdlCliAuthFailureTrap - UNEXPECTED VARBINDS for panAUTHEdlCliAuthFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3613 + # panAUTHLogoutSuccessTrap + # + # Logout is successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutSuccessTrap" + root.out.event.category.name = "panAUTHLogoutSuccessTrap" + root.out.event.message = "panAUTHLogoutSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHLogoutSuccessTrap - UNEXPECTED VARBINDS for panAUTHLogoutSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3614 + # panAUTHLogoutFailedTrap + # + # Logout is failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutFailedTrap" + root.out.event.category.name = "panAUTHLogoutFailedTrap" + root.out.event.message = "panAUTHLogoutFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHLogoutFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHLogoutFailedTrap - UNEXPECTED VARBINDS for panAUTHLogoutFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3615 + # panAUTHIdpInitiatedLogOutSuccessTrap + # + # SAML IdP initiated Logout is successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHIdpInitiatedLogOutSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHIdpInitiatedLogOutSuccessTrap" + root.out.event.category.name = "panAUTHIdpInitiatedLogOutSuccessTrap" + root.out.event.message = "panAUTHIdpInitiatedLogOutSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHIdpInitiatedLogOutSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHIdpInitiatedLogOutSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHIdpInitiatedLogOutSuccessTrap - UNEXPECTED VARBINDS for panAUTHIdpInitiatedLogOutSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3616 + # panAUTHSpInitiatedLogOutSuccessTrap + # + # SAML SP initiated Logout is successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSpInitiatedLogOutSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSpInitiatedLogOutSuccessTrap" + root.out.event.category.name = "panAUTHSpInitiatedLogOutSuccessTrap" + root.out.event.message = "panAUTHSpInitiatedLogOutSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSpInitiatedLogOutSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHSpInitiatedLogOutSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHSpInitiatedLogOutSuccessTrap - UNEXPECTED VARBINDS for panAUTHSpInitiatedLogOutSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3617 + # panAUTHUserPasswordChangeSuccessTrap + # + # User password change is successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeSuccessTrap" + root.out.event.category.name = "panAUTHUserPasswordChangeSuccessTrap" + root.out.event.message = "panAUTHUserPasswordChangeSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHUserPasswordChangeSuccessTrap - UNEXPECTED VARBINDS for panAUTHUserPasswordChangeSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3618 + # panAUTHUserPasswordChangeFailedTrap + # + # User password change is failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeFailedTrap" + root.out.event.category.name = "panAUTHUserPasswordChangeFailedTrap" + root.out.event.message = "panAUTHUserPasswordChangeFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHUserPasswordChangeFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHUserPasswordChangeFailedTrap - UNEXPECTED VARBINDS for panAUTHUserPasswordChangeFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3619 + # panAUTHCasClientRedirectTrap + # + # CAS client redirect + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasClientRedirectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasClientRedirectTrap" + root.out.event.category.name = "panAUTHCasClientRedirectTrap" + root.out.event.message = "panAUTHCasClientRedirectTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasClientRedirectTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasClientRedirectTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasClientRedirectTrap - UNEXPECTED VARBINDS for panAUTHCasClientRedirectTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3620 + # panAUTHCasTokenReceivedTrap + # + # CAS token is received + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenReceivedTrap" + root.out.event.category.name = "panAUTHCasTokenReceivedTrap" + root.out.event.message = "panAUTHCasTokenReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasTokenReceivedTrap - UNEXPECTED VARBINDS for panAUTHCasTokenReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3621 + # panAUTHCasTokenValidatedTrap + # + # CAS token is validated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenValidatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenValidatedTrap" + root.out.event.category.name = "panAUTHCasTokenValidatedTrap" + root.out.event.message = "panAUTHCasTokenValidatedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenValidatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenValidatedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasTokenValidatedTrap - UNEXPECTED VARBINDS for panAUTHCasTokenValidatedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3622 + # panAUTHCasTokenInvalidatedTrap + # + # CAS token is invalidated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenInvalidatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenInvalidatedTrap" + root.out.event.category.name = "panAUTHCasTokenInvalidatedTrap" + root.out.event.message = "panAUTHCasTokenInvalidatedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenInvalidatedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenInvalidatedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasTokenInvalidatedTrap - UNEXPECTED VARBINDS for panAUTHCasTokenInvalidatedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3623 + # panAUTHCasTokenParseErrorTrap + # + # CAS token has parse error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenParseErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenParseErrorTrap" + root.out.event.category.name = "panAUTHCasTokenParseErrorTrap" + root.out.event.message = "panAUTHCasTokenParseErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenParseErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasTokenParseErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasTokenParseErrorTrap - UNEXPECTED VARBINDS for panAUTHCasTokenParseErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3624 + # panAUTHCasMfaInfoTrap + # + # CAS multi factor authentication info + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMfaInfoTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMfaInfoTrap" + root.out.event.category.name = "panAUTHCasMfaInfoTrap" + root.out.event.message = "panAUTHCasMfaInfoTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMfaInfoTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMfaInfoTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasMfaInfoTrap - UNEXPECTED VARBINDS for panAUTHCasMfaInfoTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3625 + # panAUTHCasCertificateWarningTrap + # + # CAS or device certificate expiring + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateWarningTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateWarningTrap" + root.out.event.category.name = "panAUTHCasCertificateWarningTrap" + root.out.event.message = "panAUTHCasCertificateWarningTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateWarningTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateWarningTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasCertificateWarningTrap - UNEXPECTED VARBINDS for panAUTHCasCertificateWarningTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3626 + # panAUTHCasCertificateErrorTrap + # + # CAS or device certificate error + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateErrorTrap" + root.out.event.category.name = "panAUTHCasCertificateErrorTrap" + root.out.event.message = "panAUTHCasCertificateErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasCertificateErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasCertificateErrorTrap - UNEXPECTED VARBINDS for panAUTHCasCertificateErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3627 + # panAUTHCasMessageTrap + # + # Message from CAS + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMessageTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMessageTrap" + root.out.event.category.name = "panAUTHCasMessageTrap" + root.out.event.message = "panAUTHCasMessageTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMessageTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCasMessageTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCasMessageTrap - UNEXPECTED VARBINDS for panAUTHCasMessageTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3628 + # panAUTHAuthServerUpTrap + # + # Contact auth server successfully + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerUpTrap" + root.out.event.category.name = "panAUTHAuthServerUpTrap" + root.out.event.message = "panAUTHAuthServerUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHAuthServerUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHAuthServerUpTrap - UNEXPECTED VARBINDS for panAUTHAuthServerUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3629 + # panAUTHHTTP407Trap + # + # 407 Proxy Authentication Required + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHHTTP407Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHHTTP407Trap" + root.out.event.category.name = "panAUTHHTTP407Trap" + root.out.event.message = "panAUTHHTTP407Trap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHHTTP407Trap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHHTTP407Trap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHHTTP407Trap - UNEXPECTED VARBINDS for panAUTHHTTP407Trap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3630 + # panAUTHTacacsAcctTxFailTrap + # + # Failed to send TACACS+ acct record to any of the servers in accounting-server-profile + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxFailTrap" + root.out.event.category.name = "panAUTHTacacsAcctTxFailTrap" + root.out.event.message = "panAUTHTacacsAcctTxFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHTacacsAcctTxFailTrap - UNEXPECTED VARBINDS for panAUTHTacacsAcctTxFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3631 + # panAUTHTacacsAcctTxSuccessTrap + # + # Successfully sent TACACS+ acct record to a server in accounting-server-profile + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxSuccessTrap" + root.out.event.category.name = "panAUTHTacacsAcctTxSuccessTrap" + root.out.event.message = "panAUTHTacacsAcctTxSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHTacacsAcctTxSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHTacacsAcctTxSuccessTrap - UNEXPECTED VARBINDS for panAUTHTacacsAcctTxSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3632 + # panAUTHExitAuthSequenceTrap + # + # Exit authentication sequence + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHExitAuthSequenceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHExitAuthSequenceTrap" + root.out.event.category.name = "panAUTHExitAuthSequenceTrap" + root.out.event.message = "panAUTHExitAuthSequenceTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHExitAuthSequenceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHExitAuthSequenceTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHExitAuthSequenceTrap - UNEXPECTED VARBINDS for panAUTHExitAuthSequenceTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3633 + # panAUTHCantGetKcdKrbtgtTrap + # + # Can not get ticket granting ticket for on-prem KCD agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantGetKcdKrbtgtTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantGetKcdKrbtgtTrap" + root.out.event.category.name = "panAUTHCantGetKcdKrbtgtTrap" + root.out.event.message = "panAUTHCantGetKcdKrbtgtTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantGetKcdKrbtgtTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantGetKcdKrbtgtTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCantGetKcdKrbtgtTrap - UNEXPECTED VARBINDS for panAUTHCantGetKcdKrbtgtTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3634 + # panAUTHGetKcdKrbtgtTrap + # + # Get ticket granting ticket for on-prem KCD agent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGetKcdKrbtgtTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGetKcdKrbtgtTrap" + root.out.event.category.name = "panAUTHGetKcdKrbtgtTrap" + root.out.event.message = "panAUTHGetKcdKrbtgtTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGetKcdKrbtgtTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHGetKcdKrbtgtTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHGetKcdKrbtgtTrap - UNEXPECTED VARBINDS for panAUTHGetKcdKrbtgtTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3635 + # panAUTHCantMapUidToUsernameTrap + # + # Can not map user id to username + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapUidToUsernameTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapUidToUsernameTrap" + root.out.event.category.name = "panAUTHCantMapUidToUsernameTrap" + root.out.event.message = "panAUTHCantMapUidToUsernameTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapUidToUsernameTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapUidToUsernameTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCantMapUidToUsernameTrap - UNEXPECTED VARBINDS for panAUTHCantMapUidToUsernameTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3636 + # panAUTHCantMapRidToDelegationTrap + # + # Can not map auth policy rule id to delegation profile + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapRidToDelegationTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapRidToDelegationTrap" + root.out.event.category.name = "panAUTHCantMapRidToDelegationTrap" + root.out.event.message = "panAUTHCantMapRidToDelegationTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapRidToDelegationTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantMapRidToDelegationTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCantMapRidToDelegationTrap - UNEXPECTED VARBINDS for panAUTHCantMapRidToDelegationTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3637 + # panAUTHCantS4u2selfTrap + # + # Can not get a service ticket to itself on behalf of a user + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2selfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2selfTrap" + root.out.event.category.name = "panAUTHCantS4u2selfTrap" + root.out.event.message = "panAUTHCantS4u2selfTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2selfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2selfTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCantS4u2selfTrap - UNEXPECTED VARBINDS for panAUTHCantS4u2selfTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3638 + # panAUTHS4u2selfTrap + # + # Get a service ticket to itself on behalf of a user + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2selfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2selfTrap" + root.out.event.category.name = "panAUTHS4u2selfTrap" + root.out.event.message = "panAUTHS4u2selfTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2selfTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2selfTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHS4u2selfTrap - UNEXPECTED VARBINDS for panAUTHS4u2selfTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3639 + # panAUTHCantS4u2proxyTrap + # + # Cannot get a service ticket to another service on behalf of a user + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2proxyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2proxyTrap" + root.out.event.category.name = "panAUTHCantS4u2proxyTrap" + root.out.event.message = "panAUTHCantS4u2proxyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2proxyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantS4u2proxyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCantS4u2proxyTrap - UNEXPECTED VARBINDS for panAUTHCantS4u2proxyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3640 + # panAUTHS4u2proxyTrap + # + # Get a service ticket to another service on behalf of a user + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2proxyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2proxyTrap" + root.out.event.category.name = "panAUTHS4u2proxyTrap" + root.out.event.message = "panAUTHS4u2proxyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2proxyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHS4u2proxyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHS4u2proxyTrap - UNEXPECTED VARBINDS for panAUTHS4u2proxyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3641 + # panAUTHCantCreateApReqTrap + # + # Cannot create AP_REQ payload (SPNEGO token) + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantCreateApReqTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantCreateApReqTrap" + root.out.event.category.name = "panAUTHCantCreateApReqTrap" + root.out.event.message = "panAUTHCantCreateApReqTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantCreateApReqTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCantCreateApReqTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCantCreateApReqTrap - UNEXPECTED VARBINDS for panAUTHCantCreateApReqTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3642 + # panAUTHCreateApReqTrap + # + # Create AP_REQ payload (SPNEGO token) + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTrap" + root.out.event.category.name = "panAUTHCreateApReqTrap" + root.out.event.message = "panAUTHCreateApReqTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCreateApReqTrap - UNEXPECTED VARBINDS for panAUTHCreateApReqTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3643 + # panAUTHCreateApReqTimedoutTrap + # + # Create AP_REQ payload (SPNEGO token) : timed out + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTimedoutTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTimedoutTrap" + root.out.event.category.name = "panAUTHCreateApReqTimedoutTrap" + root.out.event.message = "panAUTHCreateApReqTimedoutTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTimedoutTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTHCreateApReqTimedoutTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTHCreateApReqTimedoutTrap - UNEXPECTED VARBINDS for panAUTHCreateApReqTimedoutTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3700 + # panCLUSTERDClusterDaemonInitTrap + # + # Cluster daemon is initializing. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonInitTrap" + root.out.event.category.name = "panCLUSTERDClusterDaemonInitTrap" + root.out.event.message = "panCLUSTERDClusterDaemonInitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonInitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonInitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterDaemonInitTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterDaemonInitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3701 + # panCLUSTERDClusterDaemonStartTrap + # + # Cluster daemon is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonStartTrap" + root.out.event.category.name = "panCLUSTERDClusterDaemonStartTrap" + root.out.event.message = "panCLUSTERDClusterDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterDaemonStartTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3702 + # panCLUSTERDClusterDaemonExitTrap + # + # Cluster daemon has exited. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonExitTrap" + root.out.event.category.name = "panCLUSTERDClusterDaemonExitTrap" + root.out.event.message = "panCLUSTERDClusterDaemonExitTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonExitTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonExitTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterDaemonExitTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterDaemonExitTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3703 + # panCLUSTERDClusterDaemonCfgTrap + # + # Cluster daemon is unable to get last cfg from cfgagent. Out of retries. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgTrap" + root.out.event.category.name = "panCLUSTERDClusterDaemonCfgTrap" + root.out.event.message = "panCLUSTERDClusterDaemonCfgTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterDaemonCfgTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterDaemonCfgTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3704 + # panCLUSTERDClusterDaemonCfgGiveupTrap + # + # Cluster daemon is unable to get last cfg from cfgagent. Retrying. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgGiveupTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgGiveupTrap" + root.out.event.category.name = "panCLUSTERDClusterDaemonCfgGiveupTrap" + root.out.event.message = "panCLUSTERDClusterDaemonCfgGiveupTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgGiveupTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterDaemonCfgGiveupTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterDaemonCfgGiveupTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterDaemonCfgGiveupTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3705 + # panCLUSTERDClusterSplitBrainEnterTrap + # + # Cluster enters split-brain mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainEnterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainEnterTrap" + root.out.event.category.name = "panCLUSTERDClusterSplitBrainEnterTrap" + root.out.event.message = "panCLUSTERDClusterSplitBrainEnterTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainEnterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainEnterTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterSplitBrainEnterTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterSplitBrainEnterTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3706 + # panCLUSTERDClusterSplitBrainLeaveTrap + # + # Cluster left split-brain mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainLeaveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainLeaveTrap" + root.out.event.category.name = "panCLUSTERDClusterSplitBrainLeaveTrap" + root.out.event.message = "panCLUSTERDClusterSplitBrainLeaveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainLeaveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSplitBrainLeaveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterSplitBrainLeaveTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterSplitBrainLeaveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3707 + # panCLUSTERDClusterCfgModeTrap + # + # Cluster node mode is changed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgModeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgModeTrap" + root.out.event.category.name = "panCLUSTERDClusterCfgModeTrap" + root.out.event.message = "panCLUSTERDClusterCfgModeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgModeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgModeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterCfgModeTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterCfgModeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3708 + # panCLUSTERDClusterCfgClusterNameTrap + # + # Cluster name is changed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgClusterNameTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgClusterNameTrap" + root.out.event.category.name = "panCLUSTERDClusterCfgClusterNameTrap" + root.out.event.message = "panCLUSTERDClusterCfgClusterNameTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgClusterNameTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgClusterNameTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterCfgClusterNameTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterCfgClusterNameTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3709 + # panCLUSTERDClusterCfgNodeNameTrap + # + # Cluster node name is changed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeNameTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeNameTrap" + root.out.event.category.name = "panCLUSTERDClusterCfgNodeNameTrap" + root.out.event.message = "panCLUSTERDClusterCfgNodeNameTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeNameTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeNameTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterCfgNodeNameTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterCfgNodeNameTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3710 + # panCLUSTERDClusterCfgNodeAddrTrap + # + # Cluster node address is changed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeAddrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeAddrTrap" + root.out.event.category.name = "panCLUSTERDClusterCfgNodeAddrTrap" + root.out.event.message = "panCLUSTERDClusterCfgNodeAddrTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeAddrTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterCfgNodeAddrTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterCfgNodeAddrTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterCfgNodeAddrTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3711 + # panCLUSTERDClusterEngineSuspendOnTrap + # + # Cluster engine entered suspend mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOnTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineSuspendOnTrap" + root.out.event.message = "panCLUSTERDClusterEngineSuspendOnTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOnTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOnTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineSuspendOnTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineSuspendOnTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3712 + # panCLUSTERDClusterEngineSuspendOffTrap + # + # Cluster engine left suspend mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOffTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineSuspendOffTrap" + root.out.event.message = "panCLUSTERDClusterEngineSuspendOffTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOffTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineSuspendOffTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineSuspendOffTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineSuspendOffTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3713 + # panCLUSTERDClusterEngineStartTrap + # + # Cluster engine will be started for: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineStartTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineStartTrap" + root.out.event.message = "panCLUSTERDClusterEngineStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineStartTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3714 + # panCLUSTERDClusterServiceReadyTrap + # + # Cluster service is ready. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceReadyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceReadyTrap" + root.out.event.category.name = "panCLUSTERDClusterServiceReadyTrap" + root.out.event.message = "panCLUSTERDClusterServiceReadyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceReadyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceReadyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterServiceReadyTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterServiceReadyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3715 + # panCLUSTERDClusterServiceUpTrap + # + # Cluster service up: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceUpTrap" + root.out.event.category.name = "panCLUSTERDClusterServiceUpTrap" + root.out.event.message = "panCLUSTERDClusterServiceUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterServiceUpTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterServiceUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3716 + # panCLUSTERDClusterServiceDownTrap + # + # Cluster service down: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceDownTrap" + root.out.event.category.name = "panCLUSTERDClusterServiceDownTrap" + root.out.event.message = "panCLUSTERDClusterServiceDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterServiceDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterServiceDownTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterServiceDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3717 + # panCLUSTERDClusterJobRequestTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobRequestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobRequestTrap" + root.out.event.category.name = "panCLUSTERDClusterJobRequestTrap" + root.out.event.message = "panCLUSTERDClusterJobRequestTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobRequestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobRequestTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterJobRequestTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterJobRequestTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3718 + # panCLUSTERDClusterJobResponseTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobResponseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobResponseTrap" + root.out.event.category.name = "panCLUSTERDClusterJobResponseTrap" + root.out.event.message = "panCLUSTERDClusterJobResponseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobResponseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobResponseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterJobResponseTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterJobResponseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3719 + # panCLUSTERDClusterJobFinishTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobFinishTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobFinishTrap" + root.out.event.category.name = "panCLUSTERDClusterJobFinishTrap" + root.out.event.message = "panCLUSTERDClusterJobFinishTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobFinishTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobFinishTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterJobFinishTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterJobFinishTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3720 + # panCLUSTERDClusterJobCancelTrap + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobCancelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobCancelTrap" + root.out.event.category.name = "panCLUSTERDClusterJobCancelTrap" + root.out.event.message = "panCLUSTERDClusterJobCancelTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobCancelTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterJobCancelTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterJobCancelTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterJobCancelTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3721 + # panCLUSTERDClusterHaSyncPeerBackupTrap + # + # Cluster daemon HA sync started when peer device becomes passive. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncPeerBackupTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncPeerBackupTrap" + root.out.event.category.name = "panCLUSTERDClusterHaSyncPeerBackupTrap" + root.out.event.message = "panCLUSTERDClusterHaSyncPeerBackupTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncPeerBackupTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncPeerBackupTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterHaSyncPeerBackupTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterHaSyncPeerBackupTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3722 + # panCLUSTERDClusterHaSyncSelfMasterTrap + # + # Cluster daemon HA sync started when local device becomes master. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncSelfMasterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncSelfMasterTrap" + root.out.event.category.name = "panCLUSTERDClusterHaSyncSelfMasterTrap" + root.out.event.message = "panCLUSTERDClusterHaSyncSelfMasterTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncSelfMasterTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterHaSyncSelfMasterTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterHaSyncSelfMasterTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterHaSyncSelfMasterTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3723 + # panCLUSTERDClusterConfigP1SuccessTrap + # + # Cluster daemon configuration load phase-1 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1SuccessTrap" + root.out.event.category.name = "panCLUSTERDClusterConfigP1SuccessTrap" + root.out.event.message = "panCLUSTERDClusterConfigP1SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterConfigP1SuccessTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterConfigP1SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3724 + # panCLUSTERDClusterConfigP1FailedTrap + # + # Cluster daemon configuration load phase-1 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1FailedTrap" + root.out.event.category.name = "panCLUSTERDClusterConfigP1FailedTrap" + root.out.event.message = "panCLUSTERDClusterConfigP1FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterConfigP1FailedTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterConfigP1FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3725 + # panCLUSTERDClusterConfigP1AbortTrap + # + # Cluster daemon configuration load phase-1 aborted. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1AbortTrap" + root.out.event.category.name = "panCLUSTERDClusterConfigP1AbortTrap" + root.out.event.message = "panCLUSTERDClusterConfigP1AbortTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1AbortTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP1AbortTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterConfigP1AbortTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterConfigP1AbortTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3726 + # panCLUSTERDClusterConfigP2SuccessTrap + # + # Cluster daemon configuration load phase-2 succeeded. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2SuccessTrap" + root.out.event.category.name = "panCLUSTERDClusterConfigP2SuccessTrap" + root.out.event.message = "panCLUSTERDClusterConfigP2SuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2SuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2SuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterConfigP2SuccessTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterConfigP2SuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3727 + # panCLUSTERDClusterConfigP2FailedTrap + # + # Cluster daemon configuration load phase-2 failed. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2FailedTrap" + root.out.event.category.name = "panCLUSTERDClusterConfigP2FailedTrap" + root.out.event.message = "panCLUSTERDClusterConfigP2FailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2FailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterConfigP2FailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterConfigP2FailedTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterConfigP2FailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3728 + # panCLUSTERDClusterEngineControllerTrap + # + # Cluster engine has started as controller role. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineControllerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineControllerTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineControllerTrap" + root.out.event.message = "panCLUSTERDClusterEngineControllerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineControllerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineControllerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineControllerTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineControllerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3729 + # panCLUSTERDClusterEngineServerTrap + # + # Cluster engine has started as worker role - server mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineServerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineServerTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineServerTrap" + root.out.event.message = "panCLUSTERDClusterEngineServerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineServerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineServerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineServerTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineServerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3730 + # panCLUSTERDClusterEngineWorkerTrap + # + # Cluster engine has started as worker role. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineWorkerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineWorkerTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineWorkerTrap" + root.out.event.message = "panCLUSTERDClusterEngineWorkerTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineWorkerTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineWorkerTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineWorkerTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineWorkerTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3731 + # panCLUSTERDClusterEngineReloadTrap + # + # Cluster engine has reloading new configuration. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineReloadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineReloadTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineReloadTrap" + root.out.event.message = "panCLUSTERDClusterEngineReloadTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineReloadTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineReloadTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineReloadTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineReloadTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3732 + # panCLUSTERDClusterEngineRestartTrap + # + # Cluster engine will be restarted with new configuration. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineRestartTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineRestartTrap" + root.out.event.message = "panCLUSTERDClusterEngineRestartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineRestartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineRestartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineRestartTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineRestartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3733 + # panCLUSTERDClusterEngineShutdownTrap + # + # Cluster engine has shutdown. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineShutdownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineShutdownTrap" + root.out.event.category.name = "panCLUSTERDClusterEngineShutdownTrap" + root.out.event.message = "panCLUSTERDClusterEngineShutdownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineShutdownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterEngineShutdownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterEngineShutdownTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterEngineShutdownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3734 + # panCLUSTERDClusterSelfJoinTrap + # + # Local node joined cluster: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfJoinTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfJoinTrap" + root.out.event.category.name = "panCLUSTERDClusterSelfJoinTrap" + root.out.event.message = "panCLUSTERDClusterSelfJoinTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfJoinTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfJoinTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterSelfJoinTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterSelfJoinTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3735 + # panCLUSTERDClusterSelfDownTrap + # + # Local node lost connection with cluster: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfDownTrap" + root.out.event.category.name = "panCLUSTERDClusterSelfDownTrap" + root.out.event.message = "panCLUSTERDClusterSelfDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterSelfDownTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterSelfDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3736 + # panCLUSTERDClusterSelfLeaveTrap + # + # Local node left cluster: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfLeaveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfLeaveTrap" + root.out.event.category.name = "panCLUSTERDClusterSelfLeaveTrap" + root.out.event.message = "panCLUSTERDClusterSelfLeaveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfLeaveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterSelfLeaveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterSelfLeaveTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterSelfLeaveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3737 + # panCLUSTERDClusterOtherJoinTrap + # + # Peer node joined cluster: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherJoinTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherJoinTrap" + root.out.event.category.name = "panCLUSTERDClusterOtherJoinTrap" + root.out.event.message = "panCLUSTERDClusterOtherJoinTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherJoinTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherJoinTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterOtherJoinTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterOtherJoinTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3738 + # panCLUSTERDClusterOtherDownTrap + # + # Peer node lost connection with cluster: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherDownTrap" + root.out.event.category.name = "panCLUSTERDClusterOtherDownTrap" + root.out.event.message = "panCLUSTERDClusterOtherDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterOtherDownTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterOtherDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3739 + # panCLUSTERDClusterOtherLeaveTrap + # + # Peer node left cluster: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherLeaveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherLeaveTrap" + root.out.event.category.name = "panCLUSTERDClusterOtherLeaveTrap" + root.out.event.message = "panCLUSTERDClusterOtherLeaveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherLeaveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherLeaveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterOtherLeaveTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterOtherLeaveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3740 + # panCLUSTERDClusterOtherIpIncompatibleTrap + # + # Peer node IP is not compatible with current cluster interface IP + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherIpIncompatibleTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherIpIncompatibleTrap" + root.out.event.category.name = "panCLUSTERDClusterOtherIpIncompatibleTrap" + root.out.event.message = "panCLUSTERDClusterOtherIpIncompatibleTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherIpIncompatibleTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCLUSTERDClusterOtherIpIncompatibleTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCLUSTERDClusterOtherIpIncompatibleTrap - UNEXPECTED VARBINDS for panCLUSTERDClusterOtherIpIncompatibleTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3800 + # panIPV6NDIpv6DisabledTrap + # + # Neighbor IPv6 disabled + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDIpv6DisabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDIpv6DisabledTrap" + root.out.event.category.name = "panIPV6NDIpv6DisabledTrap" + root.out.event.message = "panIPV6NDIpv6DisabledTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDIpv6DisabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDIpv6DisabledTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIPV6NDIpv6DisabledTrap - UNEXPECTED VARBINDS for panIPV6NDIpv6DisabledTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3801 + # panIPV6NDDuplicatedIPv6AddressFoundTrap + # + # Neighbor DAD + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDDuplicatedIPv6AddressFoundTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDDuplicatedIPv6AddressFoundTrap" + root.out.event.category.name = "panIPV6NDDuplicatedIPv6AddressFoundTrap" + root.out.event.message = "panIPV6NDDuplicatedIPv6AddressFoundTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDDuplicatedIPv6AddressFoundTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDDuplicatedIPv6AddressFoundTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIPV6NDDuplicatedIPv6AddressFoundTrap - UNEXPECTED VARBINDS for panIPV6NDDuplicatedIPv6AddressFoundTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3802 + # panIPV6NDInconsistentRaMessageReceivedTrap + # + # Neighbor inconsistent RA + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDInconsistentRaMessageReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDInconsistentRaMessageReceivedTrap" + root.out.event.category.name = "panIPV6NDInconsistentRaMessageReceivedTrap" + root.out.event.message = "panIPV6NDInconsistentRaMessageReceivedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDInconsistentRaMessageReceivedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIPV6NDInconsistentRaMessageReceivedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIPV6NDInconsistentRaMessageReceivedTrap - UNEXPECTED VARBINDS for panIPV6NDInconsistentRaMessageReceivedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 3900 + # panDYNAMICUPDATESPaloAltoNetworksMessageTrap + # + # Received Palo Alto Networks secure content related message + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDYNAMICUPDATESPaloAltoNetworksMessageTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDYNAMICUPDATESPaloAltoNetworksMessageTrap" + root.out.event.category.name = "panDYNAMICUPDATESPaloAltoNetworksMessageTrap" + root.out.event.message = "panDYNAMICUPDATESPaloAltoNetworksMessageTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDYNAMICUPDATESPaloAltoNetworksMessageTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDYNAMICUPDATESPaloAltoNetworksMessageTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDYNAMICUPDATESPaloAltoNetworksMessageTrap - UNEXPECTED VARBINDS for panDYNAMICUPDATESPaloAltoNetworksMessageTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4000 + # panUUIDPolicyRuleUuidModifiedTrap + # + # Received Policy Rule UUID change update + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUUIDPolicyRuleUuidModifiedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUUIDPolicyRuleUuidModifiedTrap" + root.out.event.category.name = "panUUIDPolicyRuleUuidModifiedTrap" + root.out.event.message = "panUUIDPolicyRuleUuidModifiedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUUIDPolicyRuleUuidModifiedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panUUIDPolicyRuleUuidModifiedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panUUIDPolicyRuleUuidModifiedTrap - UNEXPECTED VARBINDS for panUUIDPolicyRuleUuidModifiedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4100 + # panGRETunnelStatusUpTrap + # + # GRE tunnel status changed to up + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusUpTrap" + root.out.event.category.name = "panGRETunnelStatusUpTrap" + root.out.event.message = "panGRETunnelStatusUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGRETunnelStatusUpTrap - UNEXPECTED VARBINDS for panGRETunnelStatusUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4101 + # panGRETunnelStatusDownTrap + # + # GRE tunnel status changed to down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusDownTrap" + root.out.event.category.name = "panGRETunnelStatusDownTrap" + root.out.event.message = "panGRETunnelStatusDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelStatusDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGRETunnelStatusDownTrap - UNEXPECTED VARBINDS for panGRETunnelStatusDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4102 + # panGRETunnelRecurRoutingTrap + # + # GRE tunnel status changed to down, recursive routing + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelRecurRoutingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelRecurRoutingTrap" + root.out.event.category.name = "panGRETunnelRecurRoutingTrap" + root.out.event.message = "panGRETunnelRecurRoutingTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelRecurRoutingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panGRETunnelRecurRoutingTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panGRETunnelRecurRoutingTrap - UNEXPECTED VARBINDS for panGRETunnelRecurRoutingTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4200 + # panPANOCHECKPanoramaCheckSkipTrap + # + # Skipping panorama check + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckSkipTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckSkipTrap" + root.out.event.category.name = "panPANOCHECKPanoramaCheckSkipTrap" + root.out.event.message = "panPANOCHECKPanoramaCheckSkipTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckSkipTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckSkipTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPANOCHECKPanoramaCheckSkipTrap - UNEXPECTED VARBINDS for panPANOCHECKPanoramaCheckSkipTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4201 + # panPANOCHECKPanoramaCheckAutoDisabledTrap + # + # Disabling feature implcitly for this commit + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoDisabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoDisabledTrap" + root.out.event.category.name = "panPANOCHECKPanoramaCheckAutoDisabledTrap" + root.out.event.message = "panPANOCHECKPanoramaCheckAutoDisabledTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoDisabledTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoDisabledTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPANOCHECKPanoramaCheckAutoDisabledTrap - UNEXPECTED VARBINDS for panPANOCHECKPanoramaCheckAutoDisabledTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4202 + # panPANOCHECKPanoramaCheckAutoRevertTrap + # + # Revrting configuration + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoRevertTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoRevertTrap" + root.out.event.category.name = "panPANOCHECKPanoramaCheckAutoRevertTrap" + root.out.event.message = "panPANOCHECKPanoramaCheckAutoRevertTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoRevertTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckAutoRevertTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPANOCHECKPanoramaCheckAutoRevertTrap - UNEXPECTED VARBINDS for panPANOCHECKPanoramaCheckAutoRevertTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4203 + # panPANOCHECKPanoramaCheckTestTrap + # + # Hourly cron job + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckTestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckTestTrap" + root.out.event.category.name = "panPANOCHECKPanoramaCheckTestTrap" + root.out.event.message = "panPANOCHECKPanoramaCheckTestTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckTestTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPANOCHECKPanoramaCheckTestTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPANOCHECKPanoramaCheckTestTrap - UNEXPECTED VARBINDS for panPANOCHECKPanoramaCheckTestTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4300 + # panSDWANSdwanVifStatusUpTrap + # + # SD-WAN vif status change to up. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusUpTrap" + root.out.event.category.name = "panSDWANSdwanVifStatusUpTrap" + root.out.event.message = "panSDWANSdwanVifStatusUpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusUpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusUpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSDWANSdwanVifStatusUpTrap - UNEXPECTED VARBINDS for panSDWANSdwanVifStatusUpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4301 + # panSDWANSdwanVifStatusDownTrap + # + # SD-WAN vif status change to down. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusDownTrap" + root.out.event.category.name = "panSDWANSdwanVifStatusDownTrap" + root.out.event.message = "panSDWANSdwanVifStatusDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSDWANSdwanVifStatusDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSDWANSdwanVifStatusDownTrap - UNEXPECTED VARBINDS for panSDWANSdwanVifStatusDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4400 + # panDTCollectNowCancellingTrap + # + # collect-now cancelling + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTCollectNowCancellingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTCollectNowCancellingTrap" + root.out.event.category.name = "panDTCollectNowCancellingTrap" + root.out.event.message = "panDTCollectNowCancellingTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTCollectNowCancellingTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTCollectNowCancellingTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTCollectNowCancellingTrap - UNEXPECTED VARBINDS for panDTCollectNowCancellingTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4401 + # panDTSendSuccessTrap + # + # successfully sent + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendSuccessTrap" + root.out.event.category.name = "panDTSendSuccessTrap" + root.out.event.message = "panDTSendSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTSendSuccessTrap - UNEXPECTED VARBINDS for panDTSendSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4402 + # panDTSendFailedTrap + # + # failed sending the files + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendFailedTrap" + root.out.event.category.name = "panDTSendFailedTrap" + root.out.event.message = "panDTSendFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTSendFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTSendFailedTrap - UNEXPECTED VARBINDS for panDTSendFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4403 + # panDTConfigGenerateSuccessTrap + # + # successfully generate new config files + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigGenerateSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigGenerateSuccessTrap" + root.out.event.category.name = "panDTConfigGenerateSuccessTrap" + root.out.event.message = "panDTConfigGenerateSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigGenerateSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigGenerateSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTConfigGenerateSuccessTrap - UNEXPECTED VARBINDS for panDTConfigGenerateSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4404 + # panDTConfigLoadFailureTrap + # + # failed to load config file + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigLoadFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigLoadFailureTrap" + root.out.event.category.name = "panDTConfigLoadFailureTrap" + root.out.event.message = "panDTConfigLoadFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigLoadFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigLoadFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTConfigLoadFailureTrap - UNEXPECTED VARBINDS for panDTConfigLoadFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4405 + # panDTConfigReloadFailureTrap + # + # failed to reload config files + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReloadFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReloadFailureTrap" + root.out.event.category.name = "panDTConfigReloadFailureTrap" + root.out.event.message = "panDTConfigReloadFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReloadFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReloadFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTConfigReloadFailureTrap - UNEXPECTED VARBINDS for panDTConfigReloadFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4406 + # panDTConfigReplaceFailureTrap + # + # failed to replace config files + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReplaceFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReplaceFailureTrap" + root.out.event.category.name = "panDTConfigReplaceFailureTrap" + root.out.event.message = "panDTConfigReplaceFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReplaceFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDTConfigReplaceFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDTConfigReplaceFailureTrap - UNEXPECTED VARBINDS for panDTConfigReplaceFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4500 + # panCTDAGENTConnectionStatusChangedTrap + # + # connection status has changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConnectionStatusChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConnectionStatusChangedTrap" + root.out.event.category.name = "panCTDAGENTConnectionStatusChangedTrap" + root.out.event.message = "panCTDAGENTConnectionStatusChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConnectionStatusChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConnectionStatusChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCTDAGENTConnectionStatusChangedTrap - UNEXPECTED VARBINDS for panCTDAGENTConnectionStatusChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4501 + # panCTDAGENTConfigurationFailureTrap + # + # failure caused by confiuration + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConfigurationFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConfigurationFailureTrap" + root.out.event.category.name = "panCTDAGENTConfigurationFailureTrap" + root.out.event.message = "panCTDAGENTConfigurationFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConfigurationFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTConfigurationFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCTDAGENTConfigurationFailureTrap - UNEXPECTED VARBINDS for panCTDAGENTConfigurationFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4502 + # panCTDAGENTLicenseFailureTrap + # + # failure caused by license + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTLicenseFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTLicenseFailureTrap" + root.out.event.category.name = "panCTDAGENTLicenseFailureTrap" + root.out.event.message = "panCTDAGENTLicenseFailureTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTLicenseFailureTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTLicenseFailureTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCTDAGENTLicenseFailureTrap - UNEXPECTED VARBINDS for panCTDAGENTLicenseFailureTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4503 + # panCTDAGENTResourceIssueTrap + # + # resource related issue has occurred + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTResourceIssueTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTResourceIssueTrap" + root.out.event.category.name = "panCTDAGENTResourceIssueTrap" + root.out.event.message = "panCTDAGENTResourceIssueTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTResourceIssueTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panCTDAGENTResourceIssueTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panCTDAGENTResourceIssueTrap - UNEXPECTED VARBINDS for panCTDAGENTResourceIssueTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4600 + # panSCHEDPUSHSchedSkipTrap + # + # Skipping push as all devices are in-sync + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedSkipTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedSkipTrap" + root.out.event.category.name = "panSCHEDPUSHSchedSkipTrap" + root.out.event.message = "panSCHEDPUSHSchedSkipTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedSkipTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedSkipTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSCHEDPUSHSchedSkipTrap - UNEXPECTED VARBINDS for panSCHEDPUSHSchedSkipTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4601 + # panSCHEDPUSHSchedExecTrap + # + # Successfully scheduled push to devices + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedExecTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedExecTrap" + root.out.event.category.name = "panSCHEDPUSHSchedExecTrap" + root.out.event.message = "panSCHEDPUSHSchedExecTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedExecTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panSCHEDPUSHSchedExecTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panSCHEDPUSHSchedExecTrap - UNEXPECTED VARBINDS for panSCHEDPUSHSchedExecTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4700 + # panAUTOPUSHAutoPushContentAppPushedTrap + # + # App content is pushed to device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppPushedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppPushedTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentAppPushedTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentAppPushedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppPushedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppPushedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentAppPushedTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentAppPushedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4701 + # panAUTOPUSHAutoPushContentAppSuccessTrap + # + # App content is installed on device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppSuccessTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentAppSuccessTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentAppSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentAppSuccessTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentAppSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4702 + # panAUTOPUSHAutoPushContentAppFailTrap + # + # App content is failed to be installed on device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppFailTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentAppFailTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentAppFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAppFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentAppFailTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentAppFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4703 + # panAUTOPUSHAutoPushContentThreatPushedTrap + # + # Threat content is pushed to device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatPushedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatPushedTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentThreatPushedTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentThreatPushedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatPushedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatPushedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentThreatPushedTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentThreatPushedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4704 + # panAUTOPUSHAutoPushContentThreatSuccessTrap + # + # Threat content is installed on device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatSuccessTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentThreatSuccessTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentThreatSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentThreatSuccessTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentThreatSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4705 + # panAUTOPUSHAutoPushContentThreatFailTrap + # + # Threat content is failed to be installed on device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatFailTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentThreatFailTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentThreatFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentThreatFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentThreatFailTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentThreatFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4706 + # panAUTOPUSHAutoPushContentAntivirusPushedTrap + # + # Antivirus content is pushed to device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusPushedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusPushedTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentAntivirusPushedTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentAntivirusPushedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusPushedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusPushedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentAntivirusPushedTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentAntivirusPushedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4707 + # panAUTOPUSHAutoPushContentAntivirusSuccessTrap + # + # Antivirus content is installed on device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusSuccessTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentAntivirusSuccessTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentAntivirusSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentAntivirusSuccessTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentAntivirusSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4708 + # panAUTOPUSHAutoPushContentAntivirusFailTrap + # + # Antivirus content is failed to be installed on device + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusFailTrap" + root.out.event.category.name = "panAUTOPUSHAutoPushContentAntivirusFailTrap" + root.out.event.message = "panAUTOPUSHAutoPushContentAntivirusFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUTOPUSHAutoPushContentAntivirusFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUTOPUSHAutoPushContentAntivirusFailTrap - UNEXPECTED VARBINDS for panAUTOPUSHAutoPushContentAntivirusFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4800 + # panMonitoringDeviatingDeviceTrap + # + # Monitoring deviating devices + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMonitoringDeviatingDeviceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMonitoringDeviatingDeviceTrap" + root.out.event.category.name = "panMonitoringDeviatingDeviceTrap" + root.out.event.message = "panMonitoringDeviatingDeviceTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMonitoringDeviatingDeviceTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panMonitoringDeviatingDeviceTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panMonitoringDeviatingDeviceTrap - UNEXPECTED VARBINDS for panMonitoringDeviatingDeviceTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4900 + # panACEGeneralTrap + # + # General + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEGeneralTrap" + root.out.event.category.name = "panACEGeneralTrap" + root.out.event.message = "panACEGeneralTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEGeneralTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panACEGeneralTrap - UNEXPECTED VARBINDS for panACEGeneralTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4901 + # panACEConnectionTrap + # + # gRPC connection to cloud + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEConnectionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEConnectionTrap" + root.out.event.category.name = "panACEConnectionTrap" + root.out.event.message = "panACEConnectionTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEConnectionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEConnectionTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panACEConnectionTrap - UNEXPECTED VARBINDS for panACEConnectionTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4902 + # panACETaskTrap + # + # cloud application task info + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACETaskTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACETaskTrap" + root.out.event.category.name = "panACETaskTrap" + root.out.event.message = "panACETaskTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACETaskTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACETaskTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panACETaskTrap - UNEXPECTED VARBINDS for panACETaskTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 4903 + # panACEVersionTrap + # + # cloud application version + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEVersionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEVersionTrap" + root.out.event.category.name = "panACEVersionTrap" + root.out.event.message = "panACEVersionTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEVersionTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panACEVersionTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panACEVersionTrap - UNEXPECTED VARBINDS for panACEVersionTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5000 + # panAUDITGuiTrap + # + # GUI activity + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiTrap" + root.out.event.category.name = "panAUDITGuiTrap" + root.out.event.message = "panAUDITGuiTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUDITGuiTrap - UNEXPECTED VARBINDS for panAUDITGuiTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5001 + # panAUDITCliTrap + # + # CLI operational command + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITCliTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITCliTrap" + root.out.event.category.name = "panAUDITCliTrap" + root.out.event.message = "panAUDITCliTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITCliTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITCliTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUDITCliTrap - UNEXPECTED VARBINDS for panAUDITCliTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5002 + # panAUDITGuiOpTrap + # + # GUI operational command + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiOpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiOpTrap" + root.out.event.category.name = "panAUDITGuiOpTrap" + root.out.event.message = "panAUDITGuiOpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiOpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGuiOpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUDITGuiOpTrap - UNEXPECTED VARBINDS for panAUDITGuiOpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5003 + # panAUDITGnmiTrap + # + # GNMI request + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGnmiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGnmiTrap" + root.out.event.category.name = "panAUDITGnmiTrap" + root.out.event.message = "panAUDITGnmiTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGnmiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITGnmiTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUDITGnmiTrap - UNEXPECTED VARBINDS for panAUDITGnmiTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5004 + # panAUDITApiTrap + # + # REST API request + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITApiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITApiTrap" + root.out.event.category.name = "panAUDITApiTrap" + root.out.event.message = "panAUDITApiTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITApiTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panAUDITApiTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panAUDITApiTrap - UNEXPECTED VARBINDS for panAUDITApiTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5100 + # panBROKERMonitorFailTrap + # + # Monitor failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorFailTrap" + root.out.event.category.name = "panBROKERMonitorFailTrap" + root.out.event.message = "panBROKERMonitorFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorFailTrap - UNEXPECTED VARBINDS for panBROKERMonitorFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5101 + # panBROKERMonitorRecoverTrap + # + # Monitor recovered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorRecoverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorRecoverTrap" + root.out.event.category.name = "panBROKERMonitorRecoverTrap" + root.out.event.message = "panBROKERMonitorRecoverTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorRecoverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorRecoverTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorRecoverTrap - UNEXPECTED VARBINDS for panBROKERMonitorRecoverTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5102 + # panBROKERMonitorPathFailTrap + # + # Path monitor failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathFailTrap" + root.out.event.category.name = "panBROKERMonitorPathFailTrap" + root.out.event.message = "panBROKERMonitorPathFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorPathFailTrap - UNEXPECTED VARBINDS for panBROKERMonitorPathFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5103 + # panBROKERMonitorPathRecoverTrap + # + # Path monitor recovered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathRecoverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathRecoverTrap" + root.out.event.category.name = "panBROKERMonitorPathRecoverTrap" + root.out.event.message = "panBROKERMonitorPathRecoverTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathRecoverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorPathRecoverTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorPathRecoverTrap - UNEXPECTED VARBINDS for panBROKERMonitorPathRecoverTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5104 + # panBROKERMonitorHttpFailTrap + # + # HTTP monitor failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpFailTrap" + root.out.event.category.name = "panBROKERMonitorHttpFailTrap" + root.out.event.message = "panBROKERMonitorHttpFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorHttpFailTrap - UNEXPECTED VARBINDS for panBROKERMonitorHttpFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5105 + # panBROKERMonitorHttpRecoverTrap + # + # HTTP monitor recovered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpRecoverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpRecoverTrap" + root.out.event.category.name = "panBROKERMonitorHttpRecoverTrap" + root.out.event.message = "panBROKERMonitorHttpRecoverTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpRecoverTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorHttpRecoverTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorHttpRecoverTrap - UNEXPECTED VARBINDS for panBROKERMonitorHttpRecoverTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5106 + # panBROKERMonitorLatencyExceedTrap + # + # Latency exceeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyExceedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyExceedTrap" + root.out.event.category.name = "panBROKERMonitorLatencyExceedTrap" + root.out.event.message = "panBROKERMonitorLatencyExceedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyExceedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyExceedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorLatencyExceedTrap - UNEXPECTED VARBINDS for panBROKERMonitorLatencyExceedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5107 + # panBROKERMonitorLatencyRestoreTrap + # + # Latency restored + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyRestoreTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyRestoreTrap" + root.out.event.category.name = "panBROKERMonitorLatencyRestoreTrap" + root.out.event.message = "panBROKERMonitorLatencyRestoreTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyRestoreTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERMonitorLatencyRestoreTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERMonitorLatencyRestoreTrap - UNEXPECTED VARBINDS for panBROKERMonitorLatencyRestoreTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5108 + # panBROKERIcmpTrap + # + # ICMP message received + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERIcmpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERIcmpTrap" + root.out.event.category.name = "panBROKERIcmpTrap" + root.out.event.message = "panBROKERIcmpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERIcmpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panBROKERIcmpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panBROKERIcmpTrap - UNEXPECTED VARBINDS for panBROKERIcmpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5200 + # panDDNSDdnsUpdateTrap + # + # DDNS update + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUpdateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUpdateTrap" + root.out.event.category.name = "panDDNSDdnsUpdateTrap" + root.out.event.message = "panDDNSDdnsUpdateTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUpdateTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUpdateTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDDNSDdnsUpdateTrap - UNEXPECTED VARBINDS for panDDNSDdnsUpdateTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5201 + # panDDNSDdnsRefreshTrap + # + # DDNS refresh + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRefreshTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRefreshTrap" + root.out.event.category.name = "panDDNSDdnsRefreshTrap" + root.out.event.message = "panDDNSDdnsRefreshTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRefreshTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRefreshTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDDNSDdnsRefreshTrap - UNEXPECTED VARBINDS for panDDNSDdnsRefreshTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5202 + # panDDNSDdnsRemoveTrap + # + # DDNS remove + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRemoveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRemoveTrap" + root.out.event.category.name = "panDDNSDdnsRemoveTrap" + root.out.event.message = "panDDNSDdnsRemoveTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRemoveTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsRemoveTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDDNSDdnsRemoveTrap - UNEXPECTED VARBINDS for panDDNSDdnsRemoveTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5203 + # panDDNSDdnsUnsupportedTrap + # + # DDNS unsupported + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUnsupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUnsupportedTrap" + root.out.event.category.name = "panDDNSDdnsUnsupportedTrap" + root.out.event.message = "panDDNSDdnsUnsupportedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUnsupportedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsUnsupportedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDDNSDdnsUnsupportedTrap - UNEXPECTED VARBINDS for panDDNSDdnsUnsupportedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5204 + # panDDNSDdnsDhcpTrap + # + # DDNS address released + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsDhcpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsDhcpTrap" + root.out.event.category.name = "panDDNSDdnsDhcpTrap" + root.out.event.message = "panDDNSDdnsDhcpTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsDhcpTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDDNSDdnsDhcpTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDDNSDdnsDhcpTrap - UNEXPECTED VARBINDS for panDDNSDdnsDhcpTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5300 + # panDEBUGPacketDiagLogTrap + # + # Packet-diag logging event + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDEBUGPacketDiagLogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDEBUGPacketDiagLogTrap" + root.out.event.category.name = "panDEBUGPacketDiagLogTrap" + root.out.event.message = "panDEBUGPacketDiagLogTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDEBUGPacketDiagLogTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDEBUGPacketDiagLogTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDEBUGPacketDiagLogTrap - UNEXPECTED VARBINDS for panDEBUGPacketDiagLogTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5400 + # panDNSSECPANELOGEVENTCACHEFAILTrap + # + # cache initialization from storage failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHEFAILTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHEFAILTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTCACHEFAILTrap" + root.out.event.message = "panDNSSECPANELOGEVENTCACHEFAILTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHEFAILTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHEFAILTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTCACHEFAILTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTCACHEFAILTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5401 + # panDNSSECPANELOGEVENTCACHESUCCESSTrap + # + # cache initialization from storage successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHESUCCESSTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHESUCCESSTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTCACHESUCCESSTrap" + root.out.event.message = "panDNSSECPANELOGEVENTCACHESUCCESSTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHESUCCESSTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTCACHESUCCESSTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTCACHESUCCESSTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTCACHESUCCESSTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5402 + # panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap + # + # cloud service DNS resolution failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOHOSTTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5403 + # panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap + # + # cloud service network connectivity failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONNOROUTETrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5404 + # panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap + # + # cloud service connection refused + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSCLOUDCONNECTIONREFUSEDTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5405 + # panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap + # + # cloud service unavailable + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSCLOUDUNAVAILABLETrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5406 + # panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap + # + # cloud query timeout + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSCLOUDTIMEOUTTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5407 + # panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap + # + # telemetry cloud service DNS resolution failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOHOSTTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5408 + # panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap + # + # telemetry cloud service network connectivity failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONNOROUTETrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5409 + # panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap + # + # telemetry cloud service connection refused + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSTELECLOUDCONNECTIONREFUSEDTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5410 + # panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap + # + # telemetry cloud service unavailable + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSTELECLOUDUNAVAILABLETrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5411 + # panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap + # + # telemetry cloud query timeout + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap" + root.out.event.category.name = "panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap - UNEXPECTED VARBINDS for panDNSSECPANELOGEVENTDNSTELECLOUDTIMEOUTTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5500 + # panIOTGeneralTrap + # + # General + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGeneralTrap" + root.out.event.category.name = "panIOTGeneralTrap" + root.out.event.message = "panIOTGeneralTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGeneralTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTGeneralTrap - UNEXPECTED VARBINDS for panIOTGeneralTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5501 + # panIOTHaQueueFullTrap + # + # HA queue is full + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTHaQueueFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTHaQueueFullTrap" + root.out.event.category.name = "panIOTHaQueueFullTrap" + root.out.event.message = "panIOTHaQueueFullTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTHaQueueFullTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTHaQueueFullTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTHaQueueFullTrap - UNEXPECTED VARBINDS for panIOTHaQueueFullTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5502 + # panIOTIcdHaStatusTrap + # + # Identity client HA status changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdHaStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdHaStatusTrap" + root.out.event.category.name = "panIOTIcdHaStatusTrap" + root.out.event.message = "panIOTIcdHaStatusTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdHaStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdHaStatusTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTIcdHaStatusTrap - UNEXPECTED VARBINDS for panIOTIcdHaStatusTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5503 + # panIOTLicenseTrap + # + # IoT license status changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTLicenseTrap" + root.out.event.category.name = "panIOTLicenseTrap" + root.out.event.message = "panIOTLicenseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTLicenseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTLicenseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTLicenseTrap - UNEXPECTED VARBINDS for panIOTLicenseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5504 + # panIOTIcdDaemonStartTrap + # + # Identity client daemon is ready + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdDaemonStartTrap" + root.out.event.category.name = "panIOTIcdDaemonStartTrap" + root.out.event.message = "panIOTIcdDaemonStartTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdDaemonStartTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTIcdDaemonStartTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTIcdDaemonStartTrap - UNEXPECTED VARBINDS for panIOTIcdDaemonStartTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5505 + # panIOTGrpcConnSuccessTrap + # + # gRPC connection failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnSuccessTrap" + root.out.event.category.name = "panIOTGrpcConnSuccessTrap" + root.out.event.message = "panIOTGrpcConnSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTGrpcConnSuccessTrap - UNEXPECTED VARBINDS for panIOTGrpcConnSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5506 + # panIOTGrpcConnFailedTrap + # + # gRPC connection success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnFailedTrap" + root.out.event.category.name = "panIOTGrpcConnFailedTrap" + root.out.event.message = "panIOTGrpcConnFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTGrpcConnFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTGrpcConnFailedTrap - UNEXPECTED VARBINDS for panIOTGrpcConnFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5507 + # panIOTPolicyRecommendationTrap + # + # IoT policy recommendation triggered + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTPolicyRecommendationTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTPolicyRecommendationTrap" + root.out.event.category.name = "panIOTPolicyRecommendationTrap" + root.out.event.message = "panIOTPolicyRecommendationTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTPolicyRecommendationTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTPolicyRecommendationTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTPolicyRecommendationTrap - UNEXPECTED VARBINDS for panIOTPolicyRecommendationTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5508 + # panIOTEalFormatChangedTrap + # + # Identity client EAL message format changed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTEalFormatChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTEalFormatChangedTrap" + root.out.event.category.name = "panIOTEalFormatChangedTrap" + root.out.event.message = "panIOTEalFormatChangedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTEalFormatChangedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTEalFormatChangedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTEalFormatChangedTrap - UNEXPECTED VARBINDS for panIOTEalFormatChangedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5509 + # panIOTDatabaseTrap + # + # Identity client database connection success + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTDatabaseTrap" + root.out.event.category.name = "panIOTDatabaseTrap" + root.out.event.message = "panIOTDatabaseTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTDatabaseTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panIOTDatabaseTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panIOTDatabaseTrap - UNEXPECTED VARBINDS for panIOTDatabaseTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5600 + # panPLUGINGeneralTrap + # + # Plugin + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPLUGINGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPLUGINGeneralTrap" + root.out.event.category.name = "panPLUGINGeneralTrap" + root.out.event.message = "panPLUGINGeneralTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPLUGINGeneralTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panPLUGINGeneralTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panPLUGINGeneralTrap - UNEXPECTED VARBINDS for panPLUGINGeneralTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5700 + # panRESCTRLMemLimitExceededTrap + # + # Memory limit exceeded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemLimitExceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemLimitExceededTrap" + root.out.event.category.name = "panRESCTRLMemLimitExceededTrap" + root.out.event.message = "panRESCTRLMemLimitExceededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemLimitExceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemLimitExceededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRESCTRLMemLimitExceededTrap - UNEXPECTED VARBINDS for panRESCTRLMemLimitExceededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5701 + # panRESCTRLMemUsageNormalTrap + # + # Memory usage normal + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemUsageNormalTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemUsageNormalTrap" + root.out.event.category.name = "panRESCTRLMemUsageNormalTrap" + root.out.event.message = "panRESCTRLMemUsageNormalTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemUsageNormalTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRESCTRLMemUsageNormalTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRESCTRLMemUsageNormalTrap - UNEXPECTED VARBINDS for panRESCTRLMemUsageNormalTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5800 + # panRTSIGMalForwardTrap + # + # malicious query forwarded + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGMalForwardTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGMalForwardTrap" + root.out.event.category.name = "panRTSIGMalForwardTrap" + root.out.event.message = "panRTSIGMalForwardTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGMalForwardTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGMalForwardTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGMalForwardTrap - UNEXPECTED VARBINDS for panRTSIGMalForwardTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5801 + # panRTSIGCacheInitFailTrap + # + # cache initialization from storage failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitFailTrap" + root.out.event.category.name = "panRTSIGCacheInitFailTrap" + root.out.event.message = "panRTSIGCacheInitFailTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitFailTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitFailTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCacheInitFailTrap - UNEXPECTED VARBINDS for panRTSIGCacheInitFailTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5802 + # panRTSIGCacheInitSuccessTrap + # + # cache initialization from storage successful + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitSuccessTrap" + root.out.event.category.name = "panRTSIGCacheInitSuccessTrap" + root.out.event.message = "panRTSIGCacheInitSuccessTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitSuccessTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCacheInitSuccessTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCacheInitSuccessTrap - UNEXPECTED VARBINDS for panRTSIGCacheInitSuccessTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5803 + # panRTSIGCloudFailNohostTrap + # + # cloud service DNS resolution failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNohostTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNohostTrap" + root.out.event.category.name = "panRTSIGCloudFailNohostTrap" + root.out.event.message = "panRTSIGCloudFailNohostTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNohostTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNohostTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCloudFailNohostTrap - UNEXPECTED VARBINDS for panRTSIGCloudFailNohostTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5804 + # panRTSIGCloudFailNorouteTrap + # + # cloud service network connectivity failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNorouteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNorouteTrap" + root.out.event.category.name = "panRTSIGCloudFailNorouteTrap" + root.out.event.message = "panRTSIGCloudFailNorouteTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNorouteTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailNorouteTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCloudFailNorouteTrap - UNEXPECTED VARBINDS for panRTSIGCloudFailNorouteTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5805 + # panRTSIGCloudFailRefusedTrap + # + # cloud service connection refused + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailRefusedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailRefusedTrap" + root.out.event.category.name = "panRTSIGCloudFailRefusedTrap" + root.out.event.message = "panRTSIGCloudFailRefusedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailRefusedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailRefusedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCloudFailRefusedTrap - UNEXPECTED VARBINDS for panRTSIGCloudFailRefusedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5806 + # panRTSIGCloudFailDownTrap + # + # cloud service unavailable + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailDownTrap" + root.out.event.category.name = "panRTSIGCloudFailDownTrap" + root.out.event.message = "panRTSIGCloudFailDownTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailDownTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudFailDownTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCloudFailDownTrap - UNEXPECTED VARBINDS for panRTSIGCloudFailDownTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5807 + # panRTSIGCloudQueryTimeoutTrap + # + # cloud query timeout + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudQueryTimeoutTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudQueryTimeoutTrap" + root.out.event.category.name = "panRTSIGCloudQueryTimeoutTrap" + root.out.event.message = "panRTSIGCloudQueryTimeoutTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudQueryTimeoutTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panRTSIGCloudQueryTimeoutTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panRTSIGCloudQueryTimeoutTrap - UNEXPECTED VARBINDS for panRTSIGCloudQueryTimeoutTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5900 + # panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap + # + # Trusted signer lookup failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCETrustedSignerLookupFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5901 + # panWILDFIREAPPLIANCENetworkUnavailableTrap + # + # Network is not accessible from virtual machine + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCENetworkUnavailableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCENetworkUnavailableTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCENetworkUnavailableTrap" + root.out.event.message = "panWILDFIREAPPLIANCENetworkUnavailableTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCENetworkUnavailableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCENetworkUnavailableTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCENetworkUnavailableTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCENetworkUnavailableTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5902 + # panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap + # + # Tor service is not accessible by vm + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap" + root.out.event.message = "panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEAnonymousNetworkUnavailableTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5903 + # panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap + # + # Anonymous service is down + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap" + root.out.event.message = "panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEAnonymousNetworkUnhealthyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5904 + # panWILDFIREAPPLIANCESiggenFailedTrap + # + # Siggen failed for file + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCESiggenFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCESiggenFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCESiggenFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCESiggenFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5905 + # panWILDFIREAPPLIANCECloudLookupSuccededTrap + # + # Cloud verdict lookup succeed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupSuccededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupSuccededTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCECloudLookupSuccededTrap" + root.out.event.message = "panWILDFIREAPPLIANCECloudLookupSuccededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupSuccededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupSuccededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCECloudLookupSuccededTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCECloudLookupSuccededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5906 + # panWILDFIREAPPLIANCECloudLookupFailedTrap + # + # Cloud verdict lookup failed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCECloudLookupFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCECloudLookupFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCECloudLookupFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCECloudLookupFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCECloudLookupFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5907 + # panWILDFIREAPPLIANCEClusterModeChangeTrap + # + # Cluster node mode changed to + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterModeChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterModeChangeTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterModeChangeTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterModeChangeTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterModeChangeTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterModeChangeTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterModeChangeTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterModeChangeTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5908 + # panWILDFIREAPPLIANCEClusterEngineRoleTrap + # + # Cluster engine started as + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEngineRoleTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEngineRoleTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterEngineRoleTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterEngineRoleTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEngineRoleTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEngineRoleTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterEngineRoleTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterEngineRoleTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5909 + # panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap + # + # Cluster enters split-brain mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterEnteredSplitBrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5910 + # panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap + # + # Cluster leaves split-brain mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterLeftSplitBrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5911 + # panWILDFIREAPPLIANCEClusterDecommissionedTrap + # + # Cluster node decommissioned + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDecommissionedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDecommissionedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterDecommissionedTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDecommissionedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDecommissionedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDecommissionedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDecommissionedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterDecommissionedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5912 + # panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap + # + # Global queue (rabbitmq) cluster formation succeeded with status: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterFormationGlobalQueueSucceededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5913 + # panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap + # + # Global queue (rabbitmq) cluster formation failed with status: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterFormationGlobalQueueFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5914 + # panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap + # + # Global queue (rabbitmq) cluster is unhealthy. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterGlobalQueueUnhealthyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5915 + # panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap + # + # Global queue (rabbitmq) cluster is in split-brain mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterGlobalQueueSplitbrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5916 + # panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap + # + # Global database (redis) cluster formation succeeded with status: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseSucceededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5917 + # panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap + # + # Global database (redis) cluster formation failed with status: + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterFormationGlobalDatabaseFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5918 + # panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap + # + # Global database (redis) cluster is unhealthy. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterGlobalDatabaseUnhealthyTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5919 + # panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap + # + # Global database (redis) cluster is unavailable. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterGlobalDatabaseUnavailableTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5920 + # panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap + # + # Global database (redis) cluster is in split-brain mode. + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterGlobalDatabaseSplitbrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5921 + # panWILDFIREAPPLIANCEClusterSiggenStatusTrap + # + # Signature generation service + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenStatusTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterSiggenStatusTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterSiggenStatusTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenStatusTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenStatusTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterSiggenStatusTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterSiggenStatusTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5922 + # panWILDFIREAPPLIANCEClusterSiggenErrorTrap + # + # WF private signature package could not be generated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenErrorTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterSiggenErrorTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterSiggenErrorTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenErrorTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterSiggenErrorTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterSiggenErrorTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterSiggenErrorTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5923 + # panWILDFIREAPPLIANCESiggenPkgGenFailedTrap + # + # WF private signature package could not be generated + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCESiggenPkgGenFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCESiggenPkgGenFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCESiggenPkgGenFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCESiggenPkgGenFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5924 + # panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap + # + # WF private signature package is in split-brain mode + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap" + root.out.event.message = "panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCESiggenPkgGenSplitbrainTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5925 + # panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap + # + # Cluster data migration started + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-SPECIpanWILDFIREAPPLIANCEClusterDataMigrationStartedTrapFIC-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterDataMigrationStartedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5926 + # panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap + # + # Cluster data migration succeeded - DataMigrationDone + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterDataMigrationSucceededTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - check: this.trap.SpecificTrap == 5927 + # panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap + # + # Cluster data migration failed - DataMigrationFailed + processors: + - mapping: |- + #!blobl + root = this + + meta varbinds_ok = false + if this.trap.VarBinds.length() > 12 { + if this.trap.VarBinds.index(0).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.2") { + if this.trap.VarBinds.index(1).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.3") { + if this.trap.VarBinds.index(2).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.4") { + if this.trap.VarBinds.index(3).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.5") { + if this.trap.VarBinds.index(4).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.7") { + if this.trap.VarBinds.index(5).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.8") { + if this.trap.VarBinds.index(6).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.9") { + if this.trap.VarBinds.index(7).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.12") { + if this.trap.VarBinds.index(8).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.300") { + if this.trap.VarBinds.index(9).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.301") { + if this.trap.VarBinds.index(10).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.302") { + if this.trap.VarBinds.index(11).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.303") { + if this.trap.VarBinds.index(12).OID.has_prefix(".1.3.6.1.4.1.25461.2.1.3.1.304") { + meta varbinds_ok = true + }}}}}}}}}}}}}} + + - switch: + - check: metadata("varbinds_ok") + processors: + - mapping: |- + #!blobl + root = this + + root.out.paloalto.panReceiveTime = this.trap.VarBinds.index(0).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSerial = this.trap.VarBinds.index(1).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventType = this.trap.VarBinds.index(2).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panEventSubType = this.trap.VarBinds.index(3).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panVsys = this.trap.VarBinds.index(4).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSeqno = this.trap.VarBinds.index(5).Value + root.out.paloalto.panActionflags = this.trap.VarBinds.index(6).Value.snmp_octet_string() + root.out.paloalto.panHostname = this.trap.VarBinds.index(7).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemEventId = this.trap.VarBinds.index(8).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemObject = this.trap.VarBinds.index(9).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemModule = this.trap.VarBinds.index(10).Value.snmp_octet_display_hint("255t") + root.out.paloalto.panSystemSeverity = this.trap.VarBinds.index(11).Value + root.out.paloalto.panSystemDescription = this.trap.VarBinds.index(12).Value.snmp_octet_display_hint("255t") + + root.out.object.name = "PAN-TRAPS::panCommonEvents" + root.out.object.index = "0" + root.out.object.entity = this.trap.AgentAddress.string() + "_" + root.out.object.name + "." + root.out.object.index + root.TEMP.label = "" + if root.out.paloalto.panSystemModule.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "module: " + root.out.paloalto.panSystemModule + } + if root.out.paloalto.panSystemObject.length() > 0 { + if root.TEMP.label.length() > 0 { + root.TEMP.label = root.TEMP.label + ", " + } + root.TEMP.label = root.TEMP.label + "object: " + root.out.paloalto.panSystemObject + } + if root.TEMP.label.length() > 0 { + root.out.object.label = root.TEMP.label + } + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap" + root.out.event.category.name = "panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap, " + root.out.paloalto.panSystemDescription + root.out.event.severity.code = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_code").number() + root.out.event.severity.level = root.out.paloalto.panSystemSeverity.snmp_int_enum_enrich(".1.3.6.1.4.1.25461.2.1.3.1.303_level") + + - mapping: |- + #!blobl + root = this + + root.out.event.message = if root.out.exists("object.label") { + root.out.event.message + " [ " + root.out.object.label + " ]" + } + + - processors: + - mapping: |- + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap-unknown" + root.out.event.category.name = "unexpected varbinds" + root.out.event.message = "panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap - UNEXPECTED VARBINDS for panWILDFIREAPPLIANCEClusterDataMigrationFailedTrap trap!" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning" + + - processors: + - label: default + mapping: | + #!blobl + root = this + + if this.trap.exists("VarBinds") && this.trap.VarBinds.length() > 0 { + root.out.snmptrap.varbind.oid_0 = this.trap.VarBinds.index(0).OID + root.out.snmptrap.varbind.type_0 = this.trap.VarBinds.index(0).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(0).Type == 4 || this.trap.VarBinds.index(0).Type == 68 { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_0 = this.trap.VarBinds.index(0).Value.string() + } + if this.trap.VarBinds.length() > 1 { + root.out.snmptrap.varbind.oid_1 = this.trap.VarBinds.index(1).OID + root.out.snmptrap.varbind.type_1 = this.trap.VarBinds.index(1).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(1).Type == 4 || this.trap.VarBinds.index(1).Type == 68 { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_1 = this.trap.VarBinds.index(1).Value.string() + } + if this.trap.VarBinds.length() > 2 { + root.out.snmptrap.varbind.oid_2 = this.trap.VarBinds.index(2).OID + root.out.snmptrap.varbind.type_2 = this.trap.VarBinds.index(2).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(2).Type == 4 || this.trap.VarBinds.index(2).Type == 68 { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_2 = this.trap.VarBinds.index(2).Value.string() + } + if this.trap.VarBinds.length() > 3 { + root.out.snmptrap.varbind.oid_3 = this.trap.VarBinds.index(3).OID + root.out.snmptrap.varbind.type_3 = this.trap.VarBinds.index(3).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(3).Type == 4 || this.trap.VarBinds.index(3).Type == 68 { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_3 = this.trap.VarBinds.index(3).Value.string() + } + if this.trap.VarBinds.length() > 4 { + root.out.snmptrap.varbind.oid_4 = this.trap.VarBinds.index(4).OID + root.out.snmptrap.varbind.type_4 = this.trap.VarBinds.index(4).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(4).Type == 4 || this.trap.VarBinds.index(4).Type == 68 { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_4 = this.trap.VarBinds.index(4).Value.string() + } + if this.trap.VarBinds.length() > 5 { + root.out.snmptrap.varbind.oid_5 = this.trap.VarBinds.index(5).OID + root.out.snmptrap.varbind.type_5 = this.trap.VarBinds.index(5).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(5).Type == 4 || this.trap.VarBinds.index(5).Type == 68 { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_5 = this.trap.VarBinds.index(5).Value.string() + } + if this.trap.VarBinds.length() > 6 { + root.out.snmptrap.varbind.oid_6 = this.trap.VarBinds.index(6).OID + root.out.snmptrap.varbind.type_6 = this.trap.VarBinds.index(6).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(6).Type == 4 || this.trap.VarBinds.index(6).Type == 68 { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_6 = this.trap.VarBinds.index(6).Value.string() + } + if this.trap.VarBinds.length() > 7 { + root.out.snmptrap.varbind.oid_7 = this.trap.VarBinds.index(7).OID + root.out.snmptrap.varbind.type_7 = this.trap.VarBinds.index(7).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(7).Type == 4 || this.trap.VarBinds.index(7).Type == 68 { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_7 = this.trap.VarBinds.index(7).Value.string() + } + if this.trap.VarBinds.length() > 8 { + root.out.snmptrap.varbind.oid_8 = this.trap.VarBinds.index(8).OID + root.out.snmptrap.varbind.type_8 = this.trap.VarBinds.index(8).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(8).Type == 4 || this.trap.VarBinds.index(8).Type == 68 { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_8 = this.trap.VarBinds.index(8).Value.string() + } + if this.trap.VarBinds.length() > 9 { + root.out.snmptrap.varbind.oid_9 = this.trap.VarBinds.index(9).OID + root.out.snmptrap.varbind.type_9 = this.trap.VarBinds.index(9).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(9).Type == 4 || this.trap.VarBinds.index(9).Type == 68 { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_9 = this.trap.VarBinds.index(9).Value.string() + } + if this.trap.VarBinds.length() > 10 { + root.out.snmptrap.varbind.oid_10 = this.trap.VarBinds.index(10).OID + root.out.snmptrap.varbind.type_10 = this.trap.VarBinds.index(10).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(10).Type == 4 || this.trap.VarBinds.index(10).Type == 68 { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_10 = this.trap.VarBinds.index(10).Value.string() + } + if this.trap.VarBinds.length() > 11 { + root.out.snmptrap.varbind.oid_11 = this.trap.VarBinds.index(11).OID + root.out.snmptrap.varbind.type_11 = this.trap.VarBinds.index(11).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(11).Type == 4 || this.trap.VarBinds.index(11).Type == 68 { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_11 = this.trap.VarBinds.index(11).Value.string() + } + if this.trap.VarBinds.length() > 12 { + root.out.snmptrap.varbind.oid_12 = this.trap.VarBinds.index(12).OID + root.out.snmptrap.varbind.type_12 = this.trap.VarBinds.index(12).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(12).Type == 4 || this.trap.VarBinds.index(12).Type == 68 { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_12 = this.trap.VarBinds.index(12).Value.string() + } + if this.trap.VarBinds.length() > 13 { + root.out.snmptrap.varbind.oid_13 = this.trap.VarBinds.index(13).OID + root.out.snmptrap.varbind.type_13 = this.trap.VarBinds.index(13).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(13).Type == 4 || this.trap.VarBinds.index(13).Type == 68 { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_13 = this.trap.VarBinds.index(13).Value.string() + } + if this.trap.VarBinds.length() > 14 { + root.out.snmptrap.varbind.oid_14 = this.trap.VarBinds.index(14).OID + root.out.snmptrap.varbind.type_14 = this.trap.VarBinds.index(14).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(14).Type == 4 || this.trap.VarBinds.index(14).Type == 68 { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_14 = this.trap.VarBinds.index(14).Value.string() + } + if this.trap.VarBinds.length() > 15 { + root.out.snmptrap.varbind.oid_15 = this.trap.VarBinds.index(15).OID + root.out.snmptrap.varbind.type_15 = this.trap.VarBinds.index(15).Type.snmp_int_enum_enrich(".1_SnmpTypes") + if this.trap.VarBinds.index(15).Type == 4 || this.trap.VarBinds.index(15).Type == 68 { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value.snmp_octet_string() + } else { + root.out.snmptrap.varbind.value_15 = this.trap.VarBinds.index(15).Value + } + }}}}}}}}}}}}}}}} + + root.out.event.class.name = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-unknown" + root.out.event.id = "SNMPTRAP-PAN-TRAPS-panCommonEventEvents-" + this.trap.SpecificTrap.string() + root.out.event.category.name = "unknown specific trap" + root.out.event.message = "unknown specific trap " + this.trap.SpecificTrap.string() + " from Palo Alto PAN-TRAPS-panCommonEventEvents" + root.out.event.severity.code = 4 + root.out.event.severity.level = "Warning"